CVE-2026-40690
medium
CVSS v3
—
CVSS v2
—
VIR risk
5.5
Description
Apache Airflow's asset dependency graph did not restrict nodes by the viewer's DAG read permissions
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | apache-airflow | <3.2.1rc1 | 3.2.1rc1 |
| PIP | apache-airflow | < 3.2.1rc1 | 3.2.1rc1 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-40690
- https://github.com/apache/airflow/pull/65273
- https://github.com/apache/airflow/commit/cf3452d76e2ef5a8bae247f9fc90c759ff9df02f
- https://github.com/apache/airflow
- https://lists.apache.org/thread/bqt7y4g2cpj396b0sd20lv510ff19ndl
- http://www.openwall.com/lists/oss-security/2026/04/24/4
- https://github.com/advisories/GHSA-w7rc-q6cm-f5gm
Verify integrity in audit chain (admin only). AS-IS.