Package impact
PyPI / apache-airflow
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2026-38743 | medium | — | 5.5 | 1mo ago | Apache Airflow's authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance record | |
| CVE-2026-40690 | medium | — | 5.5 | 1mo ago | Apache Airflow's asset dependency graph did not restrict nodes by the viewer's DAG read permissions |