NIXPKGS-2026-1266

GitHub issue published on

Permalink CVE-2026-40690

4.3 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

updated 4 weeks ago by @LeSuisse Activity log

Created suggestion 1 month ago
@LeSuisse accepted 4 weeks ago
@LeSuisse published on GitHub 4 weeks ago

Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized users

The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope. Users are recommended to upgrade to version 3.2.1, which fixes this issue.

References

Affected products

apache-airflow

<3.2.1

Matching in nixpkgs

pkgs.apache-airflow

Platform to programmatically author, schedule and monitor workflows

nixos-unstable 3.1.7
- nixpkgs-unstable 3.1.7
- nixos-unstable-small 3.1.7
nixos-25.11 2.7.3
- nixos-25.11-small 2.7.3
- nixpkgs-25.11-darwin 2.7.3

Package maintainers

@taranarmo Sergey Volkov <taranarmo@gmail.com>

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1266

References

Affected products

Matching in nixpkgs

pkgs.apache-airflow

Package maintainers