CVE-2026-24098

CVE-2026-24098: Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors

Vendor Apache Software Foundation

Product Apache Airflow

Weakness CWE-200 · Info exposure

Published February 9, 2026

Last update March 10, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue

Key dates

Disclosure timeline

February 9, 2026 CVE published

March 10, 2026 Record updated