CVE-2026-40690

medium Apache
CVSS v3 Base Score
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Score
0.1%
Exploitation probability in 30 days
Top 81% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Confidentiality
Low
Integrity
None
Availability
None
Published: April 24, 2026 (19 days ago)
Last Modified: April 27, 2026
Vendor: Apache
Source: NVD

Description

The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope. Users are recommended to upgrade to version 3.2.1, which fixes this issue.

CWE

CWE-1220

Affected Products

apache airflow

References

🔗 github.com 🔗 lists.apache.org 🔗 www.openwall.com