CVE-2026-41014 Overview
CVE-2026-41014 is an authorization flaw in Apache Airflow. The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control. The endpoints did not validate per-Dag authorization. Authenticated users with the global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to read.
The vulnerability affects deployments that rely on per-Dag read scoping while granting users broader Asset access. The flaw is classified under [CWE-862] Missing Authorization. Apache addressed the issue in apache-airflow 3.2.2.
Critical Impact
Authenticated users with Asset:read permission can read partition run state, schedule configuration, and asset wiring for Dags outside their authorized scope.
Affected Products
- Apache Airflow versions prior to 3.2.2
- Deployments using per-Dag read scoping with global Asset access
- Airflow UI and API consumers exposing partitioned_dag_runs endpoints
Discovery Timeline
- 2026-06-01 - CVE-2026-41014 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-41014
Vulnerability Analysis
The vulnerability resides in the partitioned_dag_runs endpoints exposed through the Airflow UI and API. These endpoints implement access control checks against the requesting user's asset-level permissions only. They omit the per-Dag authorization layer that Airflow applies to other Dag-scoped read operations.
An authenticated user holding the global Asset:read permission can request partition run data for any Dag wired to an asset they can read. The response leaks partition run state, scheduling metadata, and asset linkage for Dags outside the user's authorized scope. The disclosure is read-only and does not modify pipeline state.
The issue impacts multi-tenant Airflow deployments that use per-Dag role-based access control (RBAC) to segregate teams. Granting broad Asset:read to enable cross-team asset visibility unintentionally exposes Dag-level metadata.
Root Cause
The partitioned_dag_runs handlers check the caller's asset permissions and return results without verifying the caller's authorization on the parent Dag. This is a missing authorization check, mapped to [CWE-862]. Sibling endpoints in the same UI surface enforce per-Dag scoping, so the gap reflects an inconsistent authorization model rather than a design choice.
Attack Vector
Exploitation requires an authenticated session with Asset:read permission. The attacker issues HTTP requests to the partitioned_dag_runs endpoints. No user interaction, elevated privileges, or specialized tooling is needed. The attack surface is the Airflow web server, which is typically reachable from internal networks or, in some deployments, the public internet.
See the GitHub Pull Request and the Apache Mailing List Thread for the upstream fix and disclosure.
Detection Methods for CVE-2026-41014
Indicators of Compromise
- Unusual volume of requests to partitioned_dag_runs endpoints from a single authenticated session
- Authenticated users querying partition run data for Dags outside their team or project scope
- Web server access logs showing enumeration patterns across sequential Dag identifiers
Detection Strategies
- Review Airflow web server and reverse proxy logs for requests targeting partitioned_dag_runs paths
- Correlate request volume with the requesting user's normal Dag access patterns
- Audit RBAC assignments to identify users holding global Asset:read alongside narrow per-Dag scopes
Monitoring Recommendations
- Forward Airflow access logs to a centralized logging or SIEM platform
- Alert on authenticated API calls that retrieve Dag metadata outside a user's assigned Dag set
- Track changes to RBAC role definitions and Asset permission grants
How to Mitigate CVE-2026-41014
Immediate Actions Required
- Upgrade apache-airflow to version 3.2.2 or later
- Inventory users and roles that hold the global Asset:read permission
- Review Airflow audit logs for prior access to partitioned_dag_runs endpoints by non-privileged users
- Restrict network exposure of the Airflow web server to trusted networks
Patch Information
Apache released the fix in apache-airflow 3.2.2. The change adds per-Dag authorization enforcement to the partitioned_dag_runs endpoints. Details are available in the GitHub Pull Request and the Openwall OSS Security Update.
Workarounds
- Revoke the global Asset:read permission from roles that should not see all Dag metadata
- Limit Airflow UI and API access to authenticated administrators until patching completes
- Place the Airflow web server behind an authenticating reverse proxy with per-endpoint access rules
# Upgrade Apache Airflow to the patched release
pip install --upgrade "apache-airflow==3.2.2"
# Verify installed version
airflow version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
