CVE-2026-38743PATCHED

apache software foundation · apache airflow

Apache Airflow: Dags endpoint might provide access to otherwise inaccessible entities

Description

The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts (including their request parameters) and full TaskInstance details for DAGs outside their authorized scope. Because HITL prompts and TaskInstance fields routinely carry operator parameters and free-form context attached to a task, the leak widens visibility of DAG-run data beyond the intended per-DAG RBAC boundary for every authenticated user. Users are recommended to upgrade to version 3.2.1 , which fixes this issue.

Affected Products

Vendor	Product	Versions
apache software foundation	apache airflow	0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
apache	airflow	cert_advisory	90%

References

https://github.com/apache/airflow/pull/64822(patch)
https://lists.apache.org/thread/sk2wj0x48o8qb4p7c47gvnhjbm0mg396(vendor-advisory)

Related News (3 articles)

Tier B

BSI Advisories11h ago

[NEU] [niedrig] Apache Airflow: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen

→ No new info (linked only)

Tier C

oss-security3d ago

CVE-2026-38743: Apache Airflow: Dags endpoint might provide access to otherwise inaccessible entities

→ No new info (linked only)

Tier C

VulDB3d ago

CVE-2026-38743 | Apache Airflow up to 3.2.0 Request Parameter /ui/dags insufficient granularity of access control

→ No new info (linked only)

CVSS 3.14.3 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

3.2.1

CWECWE-1220

PublishedApr 24, 2026

Last enriched3d agov2

Trending Score37

Source articles3

Independent3

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-41635EXP

Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter — Full Object Deserialization RCE

Trending: 74

CRITICALCVE-2026-41409

Apache MINA: CWE-502 Deserialization of Untrusted Data

Trending: 44

CRITICALCVE-2026-40860

Apache Camel: Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel-sjms2 and camel-amqp

Trending: 43

CRITICALCVE-2026-33454

Apache Camel: Inbound Header Filter Missing in MailHeaderFilterStrategy Allows Remote Code Execution via MIME Header Injection (CVE-2025-30177 Variant)

Trending: 38

CRITICALCVE-2026-40453

Apache Camel JMS, Apache Camel CoAP, Apache Camel Google PubSub: Incomplete fix for CVE-2025-27636 in non-HTTP HeaderFilterStrategies (camel-jms, camel-sjms, camel-coap, camel-google-pubsub) allows case-variant header injection

Trending: 34

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 24, 2026

Discovered by ZDM

Apr 24, 2026

Updated: description, affectedVersions, severity

Apr 24, 2026

Patch Available

Apr 24, 2026

Version History

Last enriched 3d ago

v2Tier C3d ago

Updated description with new technical details, changed affected versions to include 3.2.0, updated severity to HIGH, and noted that no exploit is available.

descriptionaffectedVersionsseverity

via VulDB

v13d ago

Initial creation