Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-49296

CVE-2026-49296: Apache Airflow Information Disclosure

CVE-2026-49296 is an information disclosure vulnerability in Apache Airflow that allows unauthorized users to view DAG source code. This article covers technical details, affected versions, and mitigation strategies.

Published:

CVE-2026-49296 Overview

CVE-2026-49296 is an authorization bypass vulnerability in Apache Airflow that allows a user with read access to one Directed Acyclic Graph (DAG) to view the source code of other DAGs stored in the same source file. The GET /api/v2/dagSources/{dag_id} endpoint and the equivalent DAG-source view in the web UI returned the entire source file without redacting DAGs the caller was not authorized to read. This bypasses per-DAG read authorization ([CWE-639]). Deployments that co-locate multiple DAGs in a single Python file are affected. Single-DAG-per-file deployments are not impacted. Apache resolved the issue in version 3.3.0.

Critical Impact

Authenticated Airflow users can read source code of DAGs outside their authorization scope, potentially exposing embedded logic, connection identifiers, and business workflow details.

Affected Products

  • Apache Airflow versions prior to 3.3.0
  • Deployments co-locating multiple DAGs in a single Python source file
  • Airflow REST API v2 dagSources endpoint and equivalent UI view

Discovery Timeline

  • 2026-07-07 - CVE-2026-49296 published to NVD
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-49296

Vulnerability Analysis

Apache Airflow enforces per-DAG read authorization to control which users can view individual pipeline definitions. When Airflow retrieves DAG source code, it returns the file contents associated with a given dag_id. Because DAG authors can define multiple DAG objects in a single Python file, one source file may back several dag_id values with independent access control policies.

The vulnerable GET /api/v2/dagSources/{dag_id} endpoint returned the full contents of the underlying source file whenever the caller had read access to any DAG defined in it. The endpoint did not filter or redact code corresponding to co-located DAGs the caller lacked permission to view. The web UI DAG-source view exhibited the same behavior.

Root Cause

The root cause is an authorization check performed at file granularity rather than DAG granularity. Airflow validated that the caller could read the requested dag_id, then returned the entire file backing that DAG. The design assumed a one-to-one mapping between DAGs and source files. Deployments relying on per-DAG access control to isolate sensitive pipeline logic within shared files were exposed.

Attack Vector

An authenticated Airflow user with read permission on at least one low-sensitivity DAG can request the source endpoint for that DAG. The response contains the full source file, including the code of any restricted DAGs co-located in the same file. Exploitation requires only valid API credentials and read access to a single DAG in the target file. No user interaction is needed.

Exploitation is straightforward: the attacker issues a request such as GET /api/v2/dagSources/<permitted_dag_id> using their existing session token or API credentials, then parses the returned source for definitions of DAGs they are not authorized to read.

Detection Methods for CVE-2026-49296

Indicators of Compromise

  • Repeated GET /api/v2/dagSources/{dag_id} requests from a single user targeting DAGs across multiple projects or teams
  • API access log entries showing DAG source retrieval by users whose role scope does not match the DAG's owning team
  • Unusual volume of DAG source views recorded in the Airflow audit log for accounts with narrow DAG permissions

Detection Strategies

  • Enable Airflow audit logging and forward events to a centralized log platform, then alert when a user retrieves source for a DAG outside their normal project scope
  • Correlate dagSources API access with the caller's assigned DAG-level roles to identify permission-boundary crossings
  • Baseline expected DAG source retrieval patterns per user role and flag statistical outliers

Monitoring Recommendations

  • Monitor Airflow webserver access logs for calls to /api/v2/dagSources/ and the UI equivalent, retaining request user, timestamp, and target dag_id
  • Track the Airflow version deployed across environments and alert on any instance running a release earlier than 3.3.0
  • Review DAG file layouts to inventory files containing multiple DAGs, which represent the exposed surface for this issue

How to Mitigate CVE-2026-49296

Immediate Actions Required

  • Upgrade all Apache Airflow deployments to version 3.3.0 or later
  • Audit DAG source files to identify those containing multiple DAG definitions and treat co-located sources as exposed until the upgrade completes
  • Rotate any credentials, tokens, or secrets embedded in DAG source code that may have been read by unauthorized users

Patch Information

Apache Airflow 3.3.0 addresses CVE-2026-49296 by aligning DAG source disclosure with per-DAG authorization. Patch details and code changes are available in the Apache Airflow GitHub Pull Request 67662 and the Apache Airflow security mailing list announcement.

Workarounds

  • Split multi-DAG source files so each file contains a single DAG, eliminating the co-location condition required for exposure
  • Restrict access to the dagSources API endpoint at a reverse proxy or API gateway until the upgrade is deployed
  • Remove hard-coded secrets from DAG source code and move them to Airflow Connections or a managed secrets backend
bash
# Upgrade Apache Airflow to a fixed release
pip install --upgrade "apache-airflow>=3.3.0"

# Verify installed version
airflow version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.