CVE-2026-28563 — Apache Airflow: DAG authorization bypass

Description

Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

How to fix CVE-2026-28563

To remediate CVE-2026-28563, upgrade the affected package to a fixed version below.

—upgrade to 3.1.8 or later
—upgrade to 3.1.8 or later
—upgrade to 3.1.8 or later

Is CVE-2026-28563 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

>= 3.0.0, < 3.1.8
>= 3.0.0, < 3.1.8
>= 3.0.0, < 3.1.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (7)

ADVISORYgithub.com/advisories/GHSA-x3fv-96qh-67m7
ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-28563
PATCHgithub.com/apache/airflow
WEBgithub.com/apache/airflow/pull/62046
WEB