CVE-2026-40690
asset dependency graph vulnerability in apache-airflow (PyPI)
What is CVE-2026-40690 About?
This vulnerability allows unauthorized users to enumerate internal assets and DAGs due to insufficient permissions checks in the asset dependency graph. An attacker could discover the existence and names of sensitive internal resources, leading to information disclosure. Exploitation is relatively easy, requiring only read access to at least one DAG.
Affected Software
Technical Details
The asset dependency graph component failed to enforce proper read permissions when displaying dependency information. Specifically, a user with read access to even a single DAG could query the graph for any asset across the entire deployment. The system did not restrict the returned information based on the user's authorized scope, thereby revealing the existence and names of DAGs and other assets they were not permitted to view. This information leak occurs because the graph browsing functionality bypassed the granular permission checks established for individual assets.
What is the Impact of CVE-2026-40690?
Successful exploitation may allow attackers to gain unauthorized knowledge of an organization's internal asset structure and sensitive data flow, aiding in further reconnaissance or targeted attacks.
What is the Exploitability of CVE-2026-40690?
Exploitation of this vulnerability is of low to moderate complexity. It requires an authenticated user with at least minimal read permissions to any DAG within the system. No special privileges beyond basic read access are necessary. The vulnerability can be exploited remotely by interacting with the asset dependency graph interface, making it accessible to any authorized user. There are no notable special conditions or constraints, and the primary risk factor is the presence of authenticated users capable of querying the graph.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-40690?
Available Upgrade Options
- apache-airflow
- <3.2.1rc1 → Upgrade to 3.2.1rc1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.openwall.com/lists/oss-security/2026/04/24/4
- https://github.com/apache/airflow/pull/65273
- https://nvd.nist.gov/vuln/detail/CVE-2026-40690
- https://github.com/apache/airflow/commit/cf3452d76e2ef5a8bae247f9fc90c759ff9df02f
- https://lists.apache.org/thread/bqt7y4g2cpj396b0sd20lv510ff19ndl
- https://lists.apache.org/thread/bqt7y4g2cpj396b0sd20lv510ff19ndl
- https://osv.dev/vulnerability/GHSA-w7rc-q6cm-f5gm
- http://www.openwall.com/lists/oss-security/2026/04/24/4
- https://github.com/apache/airflow/pull/65273
- https://github.com/apache/airflow
What are Similar Vulnerabilities to CVE-2026-40690?
Similar Vulnerabilities: CVE-2022-21665 , CVE-2021-41227 , CVE-2020-13936 , CVE-2019-10023 , CVE-2018-11759
