CVE-2026-41014 Apache Software Foundation CVE debrief

Who should care

Apache Airflow administrators using per-DAG access controls with broader Asset permissions, security teams managing data pipeline access governance, and compliance officers responsible for least-privilege enforcement in orchestration platforms.

Technical summary

The partitioned_dag_runs endpoints in Apache Airflow's UI/API failed to enforce per-DAG read authorization, relying solely on asset-level access control. Authenticated users with global Asset:read permission could access partition run state, schedule configuration, and asset wiring for DAGs outside their authorized scope. This represents a missing authorization control (CWE-862) in deployments using per-DAG access scoping. The vulnerability was addressed in apache-airflow 3.2.2.

Defensive priority

medium

Recommended defensive actions

• Upgrade to apache-airflow 3.2.2 or later to obtain the authorization fix for partitioned_dag_runs endpoints.
• Review access control policies to ensure Asset:read permissions are not granted more broadly than intended when per-DAG scoping is required.
• Audit user access logs for unauthorized enumeration of partition run state, schedule configuration, or asset wiring via partitioned_dag_runs endpoints prior to patching.
• Validate that partitioned_dag_runs endpoints enforce both asset-level and per-DAG authorization after upgrading.

Evidence notes

CVE description states the partitioned_dag_runs endpoints enforced only asset-level access control, not per-DAG authorization. NVD source lists CWE-862. Apache security advisory references confirm fix in pull request and mailing list discussion.

Official resources