Medium severity4.3NVD Advisory· Published Apr 24, 2026· Updated Apr 27, 2026
CVE-2026-40690
CVE-2026-40690
Description
The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope.
Users are recommended to upgrade to version 3.2.1, which fixes this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-airflowPyPI | < 3.2.1rc1 | 3.2.1rc1 |
Affected products
3- osv-coords2 versions
< 3.2.1+ 1 more
- (no CPE)range: < 3.2.1
- (no CPE)range: < 3.2.1rc1
Patches
Vulnerability mechanics
References
6- github.com/apache/airflow/pull/65273nvdIssue TrackingPatchWEB
- www.openwall.com/lists/oss-security/2026/04/24/4nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-w7rc-q6cm-f5gmghsaADVISORY
- lists.apache.org/thread/bqt7y4g2cpj396b0sd20lv510ff19ndlnvdMailing ListVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-40690ghsaADVISORY
- github.com/apache/airflow/commit/cf3452d76e2ef5a8bae247f9fc90c759ff9df02fghsaWEB
News mentions
0No linked articles in our index yet.