potiuk commented on issue #62532:
URL: https://github.com/apache/airflow/issues/62532#issuecomment-4459519493
PR landscape on apache/airflow side:
- #62654 — closed unmerged. Author Vamsi-klu, Claude-Code-generated. The
body's "any authenticated user could list/view tasks for any DAG" framing
contradicts the actual issue (over-restrictive 404, not under-restrictive open
access). PR also touched the wrong endpoint (/tasks, not
/tasks/group/{group_id}). Maintainers rejected it.
- No other open or merged PR addressing #62532.
My read of the issue:
- User with can read on DAG:specific_dag_id gets 404 at
/dags/{dag_id}/tasks/group/{group_id} — the endpoint appears to require the
global can read on DAGs permission, not the per-DAG one.
- Workaround: grant the global permission → user now sees all DAGs
(unintended widening).
- This is over-restrictive, not an authorization bypass. The bug denies
legitimate access; it does not grant unauthorized access.
- Indirect operational risk: users granted too-wide perms as workaround. But
that's a deployment-pattern issue, not a CVE.
- Apache/Airflow labels: kind:bug, area:auth, needs-triage. No
security-relevant label from maintainers.
This looks like a functional permission-check bug appropriate for the
regular apache/airflow triage flow, not security@. The PR title's "bypass"
framing was an AI-generated mischaracterization that the maintainers correctly
rejected.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
