CVE-2026-24098

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-24098
Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/apache/airflow/pull/60801 Issue Tracking Patch
https://lists.apache.org/thread/nx96435v77xdst7ls5lk57kqvqyj095x Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/02/09/3 Mailing List Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
History

10 Mar 2026, 19:17

Type Values Removed Values Added
Summary
  • (es) Apache Airflow versiones anteriores a la 3.1.7, tiene una vulnerabilidad que permite a los usuarios autenticados de la interfaz de usuario (UI) con permiso para uno o más DAGs específicos ver errores de importación generados por otros DAGs a los que no tenían acceso. Se aconseja a los usuarios actualizar a la versión 3.1.7 o posterior, lo que resuelve este problema.
Summary (en) Apache Airflow versions before 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue (en) Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue

11 Feb 2026, 18:30

Type Values Removed Values Added
CPE cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
References () https://github.com/apache/airflow/pull/60801 - () https://github.com/apache/airflow/pull/60801 - Issue Tracking, Patch
References () https://lists.apache.org/thread/nx96435v77xdst7ls5lk57kqvqyj095x - () https://lists.apache.org/thread/nx96435v77xdst7ls5lk57kqvqyj095x - Mailing List, Vendor Advisory
References () http://www.openwall.com/lists/oss-security/2026/02/09/3 - () http://www.openwall.com/lists/oss-security/2026/02/09/3 - Mailing List, Third Party Advisory
First Time Apache airflow
Apache

09 Feb 2026, 18:16

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2026/02/09/3 -

09 Feb 2026, 16:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.5

09 Feb 2026, 11:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-09 11:16

Updated : 2026-03-11 13:51

NVD link : CVE-2026-24098

Mitre link : CVE-2026-24098

CVE.ORG link : CVE-2026-24098

JSON object : View

Products Affected

apache

  • airflow
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor