CVE-2026-40690

Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized users

CVSS 4.3 MEDIUMEPSS 0.4%CWE-1220

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 4.3EPSS 0.4%KEV nãoPoC —Patch referenciado

Ciclo de vida

24 abr 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope. Users are recommended to upgrade to version 3.2.1, which fixes this issue.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Productos afectados

Apache Software Foundation · Apache Airflow

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/apache/airflow/pull/65273 https://lists.apache.org/thread/bqt7y4g2cpj396b0sd20lv510ff19ndl http://www.openwall.com/lists/oss-security/2026/04/24/4