VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-7q3b-su3j-y7b4

Essentials
Severities (23)
References (8)
Severity details (19)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-7q3b-su3j-y7b4
Aliases	BIT-airflow-2026-26929 CVE-2026-26929 GHSA-4m3h-wp5w-5hqh PYSEC-2026-14
Summary	Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to "~" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-732	Incorrect Permission Assignment for Critical Resource
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2026-26929
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2026-26929
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2026-26929
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2026-26929
cvssv3.1	6.5	https://github.com/advisories/GHSA-4m3h-wp5w-5hqh
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-4m3h-wp5w-5hqh
cvssv3.1	7.5	https://github.com/apache/airflow
generic_textual	HIGH	https://github.com/apache/airflow
cvssv3.1	6.5	https://github.com/apache/airflow/pull/61675
cvssv3.1	7.5	https://github.com/apache/airflow/pull/61675
generic_textual	HIGH	https://github.com/apache/airflow/pull/61675
ssvc	Track	https://github.com/apache/airflow/pull/61675
cvssv3.1	7.5	https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-14.yaml
generic_textual	HIGH	https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-14.yaml
cvssv3.1	6.5	https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss
cvssv3.1	7.5	https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss
generic_textual	HIGH	https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss
ssvc	Track	https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2026-26929
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2026-26929
cvssv3.1	6.5	http://www.openwall.com/lists/oss-security/2026/03/17/4
cvssv3.1	7.5	http://www.openwall.com/lists/oss-security/2026/03/17/4
generic_textual	HIGH	http://www.openwall.com/lists/oss-security/2026/03/17/4

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2026-26929
		https://github.com/advisories/GHSA-4m3h-wp5w-5hqh
		https://github.com/apache/airflow
		https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-14.yaml
		https://nvd.nist.gov/vuln/detail/CVE-2026-26929
		http://www.openwall.com/lists/oss-security/2026/03/17/4
61675		https://github.com/apache/airflow/pull/61675
g5o6khx83jwqvdyn0mlyb0krt35cs9ss		https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/advisories/GHSA-4m3h-wp5w-5hqh

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/apache/airflow

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/apache/airflow/pull/61675

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/apache/airflow/pull/61675

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:40:34Z/ Found at https://github.com/apache/airflow/pull/61675

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-14.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:40:34Z/ Found at https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-26929

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at http://www.openwall.com/lists/oss-security/2026/03/17/4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://www.openwall.com/lists/oss-security/2026/03/17/4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.17312
EPSS Score	0.00054
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T16:44:39.878024+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2026/26xxx/CVE-2026-26929.json	38.6.0