CVE-2026-46764 Apache Software Foundation CVE debrief

Who should care

Apache Airflow administrators using per-DAG audit-log scoping for multi-tenant or segregated environments; security teams responsible for API authorization consistency; compliance officers relying on audit-log isolation for access control verification

Technical summary

The `GET /api/v2/eventLogs/{event_log_id}` endpoint in Apache Airflow fetches audit-log rows by numeric ID after only a generic Audit Log permission check, while the collection endpoint `GET /api/v2/eventLogs` applies per-DAG scoping. An authenticated UI/API user with audit-log read permission for one DAG can retrieve audit-log entries for any other DAG by guessing or enumerating numeric event log IDs. This authorization inconsistency (CWE-639) affects deployments relying on per-DAG audit-log scoping. Fixed in apache-airflow 3.2.2.

Defensive priority

medium

Recommended defensive actions

• Upgrade apache-airflow to version 3.2.2 or later to obtain the fix for this authorization bypass
• If immediate upgrade is not feasible, review and restrict access to the Event Log detail endpoint (`GET /api/v2/eventLogs/{event_log_id}`) for users who should not have cross-DAG audit-log visibility
• Audit existing event log access patterns to identify whether unauthorized cross-DAG access may have occurred
• Validate that per-DAG audit-log scoping is enforced consistently across all API endpoints after upgrade
• Monitor for anomalous access to event log IDs outside expected ranges or DAG associations

Evidence notes

CVE published 2026-06-01T09:16:20.073Z; modified 2026-06-01T13:13:55.560Z. NVD status: Undergoing Analysis. Vendor identified as Apache with low confidence from reference domain candidate; needs review. Weakness: CWE-639 per [email protected] source.

Official resources