Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN137
_____________________________________________________________________

DATE                : 09/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airflow versions
                            prior to 3.1.7.

=====================================================================
https://lists.apache.org/thread/gdb7vffhpmrj5hp1j0oj1j13o4vmsq40
https://lists.apache.org/thread/nx96435v77xdst7ls5lk57kqvqyj095x
_____________________________________________________________________

CVE-2026-22922: Apache Airflow: Airflow externalLogUrl Permission
Bypass

Severity: low 

Affected versions:

- Apache Airflow (apache-airflow) 3.1.0 before 3.1.7

Description:

Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization
flaw that can allow an authenticated user with custom permissions
limited to task access to view task logs without having task log
access. 

Users are recommended to upgrade to Apache Airflow 3.1.7 or later,
which resolves this issue.

Credit:

34selen (finder)
Shubham Raj (remediation developer)

References:

https://github.com/apache/airflow/pull/60412
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-22922
_____________________________________________________________________

CVE-2026-24098: Apache Airflow: Assigning single DAG permission
leaked all DAGs Import Errors

Severity: low 

Affected versions:

- Apache Airflow (apache-airflow) before 3.1.7

Description:

Apache Airflow versions before 3.1.7, has vulnerability that allows
authenticated UI users with permission to one or more specific Dags
to view import errors generated by other Dags they did not have
access to. 

Users are advised to upgrade to 3.1.7 or later, which resolves this
issue

Credit:

Saurabh (finder)

References:

https://github.com/apache/airflow/pull/60801
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-24098
 
=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================