CVE-2026-41014

Published: Giu 01, 2026 Last Modified: Giu 01, 2026
ExploitDB:
Other exploit source:
Google Dorks:

Description

AI Translation Available

The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping while granting users broader Asset access. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.

862

Missing Authorization

Incomplete
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Access Control Availability
Potential Impacts:
Read Application Data Read Files Or Directories Modify Application Data Modify Files Or Directories Gain Privileges Or Assume Identity Bypass Protection Mechanism Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other)
Applicable Platforms
Technologies: AI/ML, Web Server, Database Server, Not Technology-Specific
Likelihood of Exploit: High
View CWE Details
http://www.openwall.com/lists/oss-security/2026/05/31/4
http://www.openwall.com/lists/oss-security/2026/05/31/4
https://github.com/apache/airflow/pull/65344
https://github.com/apache/airflow/pull/65344
https://lists.apache.org/thread/12nbzwwby7g883w2j13gn7ny154…
https://lists.apache.org/thread/12nbzwwby7g883w2j13gn7ny1545xob9