NIXPKGS-2026-1827

GitHub issue published 1 week, 5 days ago

Permalink CVE-2026-41014

updated 1 week, 5 days ago by @LeSuisse Activity log

Created suggestion 1 week, 5 days ago
@LeSuisse accepted 1 week, 5 days ago
@LeSuisse published on GitHub 1 week, 5 days ago

Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints

The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping while granting users broader Asset access. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.

References

Affected products

apache-airflow

<3.2.2

Matching in nixpkgs

pkgs.apache-airflow

Platform to programmatically author, schedule and monitor workflows

nixos-unstable 3.2.1
- nixpkgs-unstable 3.2.1
- nixos-unstable-small 3.2.1

Package maintainers

@taranarmo Sergey Volkov <taranarmo@gmail.com>

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1827

References

Affected products

Matching in nixpkgs

pkgs.apache-airflow

Package maintainers