CVE-2026-40690 — Apache Airflow's asset dependency graph did not restrict nodes by the viewer's D

Description

The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope. Users are recommended to upgrade to version 3.2.1, which fixes this issue.

How to fix CVE-2026-40690

To remediate CVE-2026-40690, upgrade the affected package to a fixed version below.

—upgrade to 3.2.1 or later
—upgrade to 3.2.1rc1 or later

Is CVE-2026-40690 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 3.2.1
from 0, < 3.2.1rc1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-40690
PATCHgithub.com/apache/airflow
WEBgithub.com/apache/airflow/commit/cf3452d76e2ef5a8bae247f9fc90c759ff9df02f
WEBgithub.com/apache/airflow/pull/65273
WEB