Apache Airflow <3.1.7: Authenticated UI Users Can View Other DAG Errors
CVE-2026-24098 Published on February 9, 2026

Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors
Apache Airflow versions before 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-24098 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2026-24098 has been classified to as an Information Disclosure vulnerability or weakness.


Products Associated with CVE-2026-24098

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-24098 are published in Apache AirFlow:

Apache AirFlow
 

Affected Versions

Apache Software Foundation Apache Airflow:

Exploit Probability

EPSS
0.04%
Percentile
10.57%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.