[oss-security] CVE-2026-46764: Apache Airflow: Event Log detail endpoint bypasses DAG-scoped event log permission filter

Rahul Vats Sun, 31 May 2026 05:44:18 -0700

Severity: low 

Affected versions:


- Apache Airflow (apache-airflow) before 3.2.2

Description:

The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache 
Airflow fetched audit-log rows directly by numeric ID after only the generic 
Audit Log permission check, while the collection endpoint `GET 
/api/v2/eventLogs` applied per-Dag scoping. An authenticated UI/API user with 
audit-log read permission for one Dag could retrieve audit-log entries for any 
other Dag by guessing or enumerating the numeric event log ID. Affects 
deployments that rely on per-Dag audit-log scoping. Users are advised to 
upgrade to `apache-airflow` 3.2.2 or later.

Credit:

Stoyan Stoyanov Trendafilov (trstoyan), independent security researcher (finder)
Pierre Jeambrun (@pierrejeambrun) (remediation developer)

References:

https://github.com/apache/airflow/pull/67112
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-46764

[oss-security] CVE-2026-46764: Apache Airflow: Event Log detail endpoint bypasses DAG-scoped event log permission filter

Reply via email to