{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-24098","assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","state":"PUBLISHED","assignerShortName":"apache","dateReserved":"2026-01-21T15:52:53.472Z","datePublished":"2026-02-09T10:32:53.910Z","dateUpdated":"2026-03-10T18:14:10.674Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://pypi.python.org","defaultStatus":"unaffected","packageName":"apache-airflow","product":"Apache Airflow","vendor":"Apache Software Foundation","versions":[{"lessThan":"3.1.7","status":"affected","version":"3.0.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Saurabh"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. <br><br>Users are advised to upgrade to 3.1.7 or later, which resolves this issue"}],"value":"Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. \n\nUsers are advised to upgrade to 3.1.7 or later, which resolves this issue"}],"metrics":[{"other":{"content":{"text":"low"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-200","description":"CWE-200 Exposure of Sensitive Information to an Unauthorized Actor","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2026-03-10T18:14:10.674Z"},"references":[{"tags":["patch"],"url":"https://github.com/apache/airflow/pull/60801"},{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/nx96435v77xdst7ls5lk57kqvqyj095x"}],"source":{"discovery":"UNKNOWN"},"title":"Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":6.5,"attackVector":"NETWORK","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"NONE","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-02-09T15:28:52.675029Z","id":"CVE-2026-24098","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-09T15:29:40.555Z"}},{"title":"CVE Program Container","references":[{"url":"http://www.openwall.com/lists/oss-security/2026/02/09/3"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2026-02-09T17:18:52.980Z"}}]}}