CVE-2026-28563: Apache Airflow: DAG authorization bypass

March 17, 2026 (updated March 18, 2026)

Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view.

Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

References

github.com/advisories/GHSA-x3fv-96qh-67m7
github.com/apache/airflow
github.com/apache/airflow/pull/62046
lists.apache.org/thread/dwzf62qg9z8wvfsjknpfd8bvtwghd49s
nvd.nist.gov/vuln/detail/CVE-2026-28563

Code Behaviors & Features

Detect and mitigate CVE-2026-28563 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →