Nixpkgs security tracker

Untriaged

Permalink CVE-2026-26929

6.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

created 2 months, 1 week ago Activity log

Created suggestion 2 months, 1 week ago

Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata

Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to "~" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

References

Affected products

apache-airflow

<3.1.8

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

nixos-unstable 3.1.6
- nixpkgs-unstable 3.1.6
- nixos-unstable-small 3.1.6
nixos-25.11 2.7.3
- nixos-25.11-small 2.7.3
- nixpkgs-25.11-darwin 2.7.3

Package maintainers

@bhipple Benjamin Hipple <bhipple@protonmail.com>
@gbpdt Graham Bennett <nix@pdtpartners.com>
@ingenieroariel Ariel Nunez <ariel@nunez.co>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.apache-airflow

Package maintainers