CVE-2026-40963: Apache Airflow Unauthorized DAG Metadata Disclosure
Apache Airflow's UI structure_data endpoint was leaking metadata about linked workflows (DAGs) to users who shouldn't see them. An authenticated user with permission to view one workflow could discover the names and dependency relationships of other workflows they weren't authorized to access. This is a read-only information disclosure—no data modification or system disruption occurs—but it can undermine team isolation in multi-tenant Airflow deployments where workflow topology is considered sensitive.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.1 LOW · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-285
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping to keep Dag dependency topology private across teams. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The structure_data endpoint in the Airflow UI failed to enforce per-DAG read authorization before returning external dependency graph nodes for linked DAGs. When a user with read access to DAG A queried the endpoint, the response included node identifiers and dependency metadata for DAG B, C, and other linked DAGs without verifying the caller's read permission on those downstream/upstream DAGs. This violates the access control model in deployments that partition DAG visibility by team or role. The issue stems from incomplete authorization checks in the endpoint handler (CWE-285: Improper Authorization).
Business impact
In shared Airflow environments where different teams manage separate workflows, this vulnerability enables cross-team workflow discovery. A user from Team A can infer the existence, names, and interdependencies of Team B's critical workflows. While direct access to Team B's DAG definitions remains blocked, leaked topology information can aid reconnaissance, inform social engineering, or reveal business-sensitive process flows. Organizations that use Airflow's per-DAG RBAC to enforce strict workflow isolation should prioritize remediation.
Affected systems
Apache Airflow versions prior to 3.2.2 are affected. Any deployment using the web UI or REST API to query the structure_data endpoint with multi-DAG environments and per-DAG read scoping is potentially vulnerable. Self-managed and cloud-hosted Airflow instances are both at risk if running vulnerable versions.
Exploitability
Exploitation requires valid Airflow UI or API credentials (PR:L in CVSS). An authenticated user simply needs to query the structure_data endpoint for a DAG they are authorized to read; linked DAG metadata is returned without additional interaction or complex attack steps. However, the attack surface is limited to users who already have authentication and at least one DAG read grant. The CVSS score of 3.1 (LOW) reflects limited confidentiality impact and high barrier to exploitation (AC:H suggests the vulnerability may only manifest under specific deployment configurations or DAG linkage topologies).
Remediation
Upgrade to Apache Airflow 3.2.2 or later. In that version, the structure_data endpoint enforces read authorization checks on all linked DAGs before returning their metadata in the response graph. No workarounds are available for older versions; patching is the primary remediation path. Verify the upgrade against the official Apache Airflow release notes and security advisory.
Patch guidance
Consult the Apache Airflow project's official release notes for version 3.2.2 and later. The patch adds authorization validation logic to the structure_data endpoint handler. Deployment steps vary by installation method (pip, Docker, Kubernetes, managed services); follow your vendor's upgrade procedure. Test the update in a non-production environment first, especially if your Airflow instance has custom plugins or extensions that extend the UI or API. Rolling upgrades are typically safe but confirm with your deployment topology before production rollout.
Detection guidance
In the short term, monitor Airflow API/UI access logs for queries to the structure_data endpoint by users with limited DAG read scope. If users access structure_data for a DAG they own but the response includes linked DAGs outside their authorized scope, log those events for investigation. Enable Airflow's audit logging if available in your version. Implement network-level monitoring if the Airflow API is exposed; look for unusual patterns of cross-DAG queries. After patching, re-audit access logs to confirm authorization checks are now enforced.
Why prioritize this
This vulnerability rates LOW severity due to its limited scope (information disclosure only), requirement for prior authentication, and conditional exploitability. However, prioritization should reflect your organization's data classification and team isolation model. If your Airflow deployment uses per-DAG RBAC to enforce strict workflow secrecy across teams, or if workflow topology is considered confidential intellectual property, prioritize the patch in your next maintenance window. If Airflow is internal-only and workflows are not sensitive, defer to a routine patch cycle. The lack of KEV status and public exploit suggests minimal real-world pressure, but the fix is straightforward.
Risk score, explained
CVSS 3.1 (LOW) balances several factors: confidentiality impact is low because only metadata and topology are leaked, not DAG code or execution logs; integrity and availability are unaffected; the attacker needs valid credentials and at least one DAG read grant; and the vulnerability is conditional on specific deployment configurations (AC:H). The score is not indicative of business risk in your environment—adjust your internal risk ranking based on whether workflow topology isolation is a compliance or security requirement.
Frequently asked questions
Can an attacker modify or execute linked DAGs they discover via this vulnerability?
No. The vulnerability is read-only information disclosure. An attacker cannot modify, execute, or access the code or logs of linked DAGs they are not authorized to read. Discovery of a DAG's existence and its upstream/downstream dependencies does not grant execution or modification rights.
Do I need to patch if all my Airflow users are trusted and internal?
If all Airflow users are internal, trusted, and workflow topology is not confidential, the risk is low. However, if you enforce per-DAG RBAC for any reason—compliance, team separation, or future access restrictions—you should still patch to maintain the integrity of your access control model.
Will upgrading to 3.2.2 break my existing DAG definitions or API clients?
Airflow 3.2.2 is intended to be a patch release with backward compatibility. However, always test upgrades in a non-production environment first. If you have custom plugins or extensions that interact with the structure_data endpoint, verify they are compatible with the patched endpoint's new authorization behavior.
How can I confirm the patch was applied correctly?
After upgrading, test the structure_data endpoint with a low-privilege user who has read access to only one DAG. The response should no longer include metadata for other linked DAGs outside that user's scope. Compare the response structure against your pre-patch baseline and the Airflow 3.2.2 release notes to confirm authorization checks are active.
This analysis is provided for informational purposes and does not constitute legal, compliance, or professional security advice. The vulnerability description, CVSS score, affected versions, and patch information are sourced from official vulnerability databases and Apache Airflow project advisories; verify all specifics against your vendor's documentation before making patching or deployment decisions. Your organization's risk assessment should account for your specific Airflow configuration, data sensitivity, and compliance obligations. SEC.co makes no warranty regarding the completeness or accuracy of this intelligence and recommends consulting with your internal security team and the Apache Airflow project for authoritative guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-41115MEDIUMApache Kafka CONSUMER_GROUP_DESCRIBE Authorization Documentation Mismatch
- CVE-2026-0072HIGHAndroid XR InputMethodManagerService Privilege Escalation (CVSS 7.8)
- CVE-2026-10070MEDIUMmacrozheng mall Admin Authorization Bypass in /admin/update/
- CVE-2026-10154MEDIUMDolibarr ERP CRM Authorization Bypass in Messaging Module
- CVE-2026-10211MEDIUMAstrBot 4.23.6 Path Normalization Authorization Bypass
- CVE-2026-10212MEDIUMAstrBot 4.24.2 Authorization Bypass via Session ID Manipulation
- CVE-2026-10215MEDIUMDolibarr Leave Request API Authorization Bypass
- CVE-2026-10218MEDIUMGoClaw Improper Authorization Vulnerability (CVSS 5.4)