CVE-2026-24098
Apache Airflow UI Exposes DAG Import Errors to Unauthorized Authenticated Users
6.5
MEDIUM
CVSS 3.1
EPSS 0.01%
Description
Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue
How to fix CVE-2026-24098
To remediate CVE-2026-24098, upgrade the affected package to a fixed version below.
- —upgrade to 3.1.7 or later
- —upgrade to 3.1.7 or later
- —upgrade to 3.1.7 or later
Is CVE-2026-24098 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 3.1.7
- from 0, < 3.1.7
- >= 3.0.0, < 3.1.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |