Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
2761 articles · 175003 vulns · 36/41 feeds (7d)
← Back to list
6.5
CVE-2026-49296PATCHED
apache software foundation · apache airflow

Apache Airflow: Per-DAG read bypass discloses co-located DAGs' source via GET /api/v2/dagSources/{dag_id}

Description

Before apache-airflow 3.3.0, a user authorized to read one Dag could disclose the source of other Dags co-located in the same source file. `GET /api/v2/dagSources/{dag_id}` — and the equivalent Dag-source view in the UI — returned the entire source file without redacting Dags the caller was not authorized to read, bypassing per-DAG read authorization. Deployments that co-locate multiple Dags in a single file and rely on per-DAG access control to limit source visibility are affected; single-Dag-per-file deployments are not. Upgrade to apache-airflow 3.3.0 or later.

Affected Products

VendorProductVersions
apache software foundationapache airflow3.0.0

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
apacheairflowcert_advisory90%

References

  • https://github.com/apache/airflow/pull/67662(patch)
  • https://lists.apache.org/thread/qqv41t3oydkn9o14r2rfz1wkdrsp5jzn(vendor-advisory)

Related News (3 articles)

Tier B
BSI Advisories6d ago
[NEU] [mittel] Apache Airflow: Mehrere Schwachstellen
→ No new info (linked only)
Tier C
oss-security6d ago
CVE-2026-49296: Apache Airflow: Per-DAG read bypass discloses co-located DAGs' source via GET /api/v2/dagSources/{dag_id}
→ No new info (linked only)
Tier C
VulDB6d ago
CVE-2026-49296 | Apache Airflow up to 3.2.x DAG Source api/v2/dagSources access control
→ No new info (linked only)
CVSS 3.16.5 MEDIUM
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA KEV❌ No
Actively exploited❌ No
Patch available
3.3.0
CWECWE-639
PublishedJul 7, 2026
Last enriched6d agov2
Trending Score18
Source articles3
Independent3
Info Completeness8/14
Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

NONECVE-2026-59245EXP
Apache Airflow FAB provider: FAB auth manager: a DAG named "DAGs" hijacks the global all-DAGs permission (access_control privilege escalation via resource_name() collision)
Trending: 49
NONECVE-2026-58065EXP
Apache Airflow Git provider: Git provider hook defaults to StrictHostKeyChecking=no, disabling SSH host-key verification
Trending: 49
NONECVE-2026-49365
Apache Camel: Camel-Netty-HTTP: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients
Trending: 18
NONECVE-2026-49099
Apache Camel Salesforce: Non-Camel-prefixed Exchange header constants bypass the HTTP header filter, allowing an HTTP client to influence internal behaviour
Trending: 18
NONECVE-2026-49098
Apache Camel: Camel-Kafka: The kafka.OVERRIDE_TOPIC (and other kafka.*) Exchange header constants used non-Camel-prefixed names that bypass the upstream HTTP header filter, allowing an HTTP client to redirect Kafka messages to an arbitrary topic
Trending: 18

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 7, 2026
Discovered by ZDM
Jul 7, 2026
Updated: description, severity
Jul 7, 2026
Patch Available
Jul 7, 2026

Version History

v2
Last enriched 6d ago
v2Tier C6d ago

Updated description with new details, changed severity to HIGH, and noted that no exploit exists.

descriptionseverity
via VulDB
v16d ago

Initial creation