CVE-2026-40963 Apache Software Foundation CVE debrief

Who should care

Organizations running Apache Airflow with multi-team deployments using per-DAG access controls to protect DAG dependency topology confidentiality

Technical summary

The structure_data endpoint in the Airflow UI constructs dependency graphs that include external nodes representing linked DAGs. The endpoint fails to check whether the authenticated caller possesses read permission on those linked DAGs before returning their identifiers and dependency metadata. An attacker with legitimate access to at least one DAG can therefore enumerate the existence and relationships of other DAGs in the deployment. This vulnerability specifically affects organizations that rely on per-DAG read scoping to isolate DAG dependency topology between teams. The weakness is classified as CWE-285 (Improper Authorization). Remediation is available in apache-airflow version 3.2.2 and later.

Defensive priority

medium

Recommended defensive actions

• Upgrade to apache-airflow 3.2.2 or later
• Review Airflow deployment access logs for unauthorized structure_data endpoint queries accessing linked DAG dependency graphs
• Validate that per-DAG read scoping controls are enforced across all UI/API endpoints that return cross-DAG metadata
• Audit DAG dependency topology exposure for sensitive workflow relationships in multi-team environments

Evidence notes

CWE-285 (Improper Authorization) assigned by [email protected]. Fix pull request and Apache security mailing list discussion referenced in NVD record. Vendor attribution to Apache based on reference_domain_candidate evidence with low confidence; needs review.

Official resources