{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-19T18:28:29.846","vulnerabilities":[{"cve":{"id":"CVE-2026-28563","sourceIdentifier":"security@apache.org","published":"2026-03-17T11:16:11.647","lastModified":"2026-06-17T10:28:51.583","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view.\n\n\nUsers are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue."},{"lang":"es","value":"Las versiones de Apache Airflow desde la 3.1.0 hasta la 3.1.7, en el endpoint /ui/dependencies, devuelven el grafo completo de dependencias de DAG sin filtrar por IDs de DAG autorizados. Esto permite a un usuario autenticado con solo permiso de Dependencias de DAG enumerar DAGs que no están autorizados a ver.\n\nSe recomienda a los usuarios actualizar a Apache Airflow 3.1.8 o posterior, lo que resuelve este problema."}],"affected":[{"source":"security@apache.org","affectedData":[{"vendor":"Apache Software Foundation","product":"Apache Airflow","defaultStatus":"unaffected","collectionURL":"https://pypi.python.org","packageName":"apache-airflow","versions":[{"version":"3.0.0","lessThan":"3.1.8","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-03-17T15:41:12.455979Z","id":"CVE-2026-28563","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-732"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.1.8","matchCriteriaId":"A355B3D5-BAA7-4680-879B-55D6E3D52D68"}]}]}],"references":[{"url":"https://github.com/apache/airflow/pull/62046","source":"security@apache.org","tags":["Issue Tracking","Patch"]},{"url":"https://lists.apache.org/thread/dwzf62qg9z8wvfsjknpfd8bvtwghd49s","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/03/17/5","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}}]}