MEDIUM 4.3

CVE-2026-41014: Apache Airflow Unauthorized DAG Access via Asset Permissions

Apache Airflow contains an authorization bypass in its UI that allows authenticated users to view information about data pipeline runs (DAGs) they shouldn't have access to. Specifically, a user with broad asset-level read permissions can see partition run states, scheduling details, and data connections for DAGs restricted to other teams or users. This affects only deployments that intentionally segment DAG access by user or role while granting wider asset visibility. The vulnerability requires an existing user account and network access to the Airflow UI or API.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-862
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping while granting users broader Asset access. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-41014 is an improper access control vulnerability in Apache Airflow's partitioned_dag_runs endpoints. The vulnerability stems from enforcement of asset-level permissions (Asset:read) without corresponding per-DAG authorization checks. An authenticated user holding global Asset:read permission can query the partitioned_dag_runs endpoint to enumerate partition run metadata, schedule configuration, and asset dependency graphs for DAGs outside their authorization scope. This represents a broken access control pattern where coarse-grained permissions bypass fine-grained resource isolation. The issue is classified as CWE-862 (Missing Authorization). CVSS score 4.3 reflects the low attack complexity, low privilege requirement, and information disclosure nature (confidentiality impact only, no integrity or availability compromise).

Business impact

The primary risk is unauthorized information disclosure. Users with legitimate need-to-know restrictions on sensitive DAGs—such as those processing regulated data, competitive workloads, or isolated team projects—may have their pipeline state and configuration exposed to colleagues with broader asset permissions. This could leak business logic, data dependencies, scheduling patterns, and asset integrations. Organizations using Airflow for multi-tenant environments, compliance-regulated workflows, or team-based access controls face the highest exposure. The impact is bounded because no data modification or pipeline disruption is possible; this is reconnaissance-level access only.

Affected systems

Apache Airflow versions prior to 3.2.2 are affected. The vulnerability only manifests in deployments configured with per-DAG read access restrictions (role-based or user-based isolation) while concurrently granting users or roles Asset:read permission at the global level. Deployments with flat access models (everyone can read everything, or access is role-locked at DAG level without asset-level separation) are not vulnerable to this specific authorization bypass because the permission inconsistency does not arise.

Exploitability

Exploitation requires an existing authenticated user account with UI or API access. An attacker cannot exploit this remotely without credentials. Once authenticated, the attack is trivial: any user with Asset:read permission can simply invoke or query the partitioned_dag_runs endpoint. No special tooling, social engineering, or race conditions are required. The barrier to exploitation is authentication and presence of the permission misconfiguration, not technical sophistication. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog as of the advisory date.

Remediation

Upgrade Apache Airflow to version 3.2.2 or later. The patch enforces per-DAG authorization checks on the partitioned_dag_runs endpoints, ensuring that Asset:read permission alone does not grant access to restricted DAGs. Organizations unable to upgrade immediately should audit Airflow role assignments to identify users or service accounts with global Asset:read permissions, and restrict those permissions to only users requiring broad asset visibility. Consider implementing network-level access controls to the partitioned_dag_runs endpoint if segmentation is critical and patching is delayed.

Patch guidance

Verify the Apache Airflow release notes and vendor advisory for version 3.2.2 or later to confirm the authorization fix is included. Test the upgrade in a staging environment with a replica of your role-based access control configuration to ensure the per-DAG checks function as expected and do not break legitimate user workflows. Monitor for any API calls to partitioned_dag_runs endpoints during and after the upgrade to detect anomalies or access pattern changes. If you are using Apache Airflow provided as a managed service (e.g., AWS MWAA, GCP Cloud Composer), check the vendor's upgrade timeline and apply patches according to their release schedule.

Detection guidance

Review Airflow audit logs and API access logs for queries to partitioned_dag_runs endpoints, particularly from users or service accounts with Asset:read permission but restricted DAG access. Look for repeated or bulk enumeration of partition state and schedule metadata across multiple DAGs. Implement alerting on unauthorized DAG metadata access patterns. Check role assignments and permission matrices to identify over-provisioned Asset:read grants that may be exploited. In the absence of comprehensive audit logging, a manual permissions audit comparing DAG-level restrictions against asset-level permissions is prudent.

Why prioritize this

This vulnerability merits prompt but not emergency patching. The CVSS score of 4.3 (Medium) reflects low attack complexity and the information-disclosure-only impact. The main drivers for prioritization are: (1) likelihood of misconfigured access control in multi-team Airflow deployments, (2) potential for subtle data leakage in compliance-sensitive environments, and (3) ease of exploitation once a malicious insider or over-privileged account is present. Organizations relying on Airflow role separation for data governance or team isolation should prioritize the upgrade within 4–6 weeks. Others may schedule patching within routine maintenance windows.

Risk score, explained

The CVSS 4.3 score reflects: Attack Vector (Network) and low privilege requirement (authenticated user), resulting in moderate accessibility; Attack Complexity (Low) because no special conditions are required; Confidentiality impact (Low) because only metadata and configuration are exposed, not actual data; and no impact to Integrity or Availability. The severity is Medium rather than High because the vulnerability does not enable data modification, denial of service, or remote code execution, and the attack prerequisite (authentication) limits blast radius. The score appropriately penalizes authorization bypass but recognizes the limited scope of disclosure.

Frequently asked questions

Does this vulnerability allow an attacker to modify or delete DAGs or pipeline runs?

No. This vulnerability is information disclosure only. An attacker can enumerate and view metadata about DAGs and their partition run states, but cannot modify, delete, or disrupt any DAGs or pipeline executions. Integrity and availability are not affected.

What is the difference between 'Asset:read' and 'DAG:read' permissions in Airflow?

Asset:read grants permission to view assets (data connections, datasets, and related configurations) globally, while DAG:read controls access to individual DAG metadata and execution. This vulnerability exploits a gap where Asset:read bypasses DAG-level authorization checks on the partitioned_dag_runs endpoint. Organizations should align these two permission scopes in role definitions.

If we do not use Airflow's role-based access control (RBAC) or have everyone as an admin, are we affected?

No. This vulnerability requires a deployment where DAG-level access restrictions are intentionally configured to segment users or teams. If all users have the same Airflow role (e.g., all Admins, or all Viewers), there is no authorization policy to bypass, and the vulnerability does not apply.

Can we mitigate this without upgrading immediately?

Partial mitigation is possible by auditing and restricting Asset:read permissions to only users who legitimately require global asset visibility, and ensuring DAG:read permissions are also restricted accordingly. However, this does not fully close the loophole in the code; upgrading to 3.2.2 or later is the complete fix.

This analysis is based on the CVE description and vendor advisory published on 2026-06-01 and modified 2026-06-17. Patch versions, affected product versions, and technical details are provided for reference only and should be verified against the official Apache Airflow security advisory before deploying fixes. SEC.co does not host or distribute patches; users must obtain updates directly from Apache or their Airflow distribution vendor. Testing in non-production environments is strongly recommended before applying patches to production systems. The information provided is current as of the advisory date; additional details or mitigation strategies may emerge in subsequent vendor communications or security research. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).