CVE-2026-34538

Name: CVE-2026-34538
Creator: NVD / NIST
Published: 2026-04-09T10:16:22.407+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.5/10EPSS 0.69%

Last modified Jun 17, 2026

CVE-2026-34538 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with the security model documentation that defines the Viewer role as read-only. Airflow uses the FAB Auth Manager to manage access control on a per-resource basis. The Viewer role is intended to be read-only by default, and the security model documentation defines Viewer users as those who can inspect DAGs without accessing sensitive execution results. Users are recommended to upgrade to Apache Airflow 3.2.0 which resolves this issue.. EPSS estimates a 0.69% chance of exploitation in the next 30 days.

Description

Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with the security model documentation that defines the Viewer role as read-only. Airflow uses the FAB Auth Manager to manage access control on a per-resource basis. The Viewer role is intended to be read-only by default, and the security model documentation defines Viewer users as those who can inspect DAGs without accessing sensitive execution results. Users are recommended to upgrade to Apache Airflow 3.2.0 which resolves this issue.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

0.69%

47.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-668

Affected Software

Vendor	Product	Versions
Apache	Airflow	>= 3.0.0, < 3.2.0

References

https://github.com/apache/airflow/pull/64415Broken Link, Issue Tracking
https://lists.apache.org/thread/9mq3msqhmgjwdzbr6bgthj4brb3oz9flMailing List, Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/04/09/9Mailing List, Third Party Advisory

Timeline

Published: Apr 9, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-34538?

How severe is CVE-2026-34538?

CVE-2026-34538 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 0.69% probability of exploitation in the next 30 days.

How do I fix CVE-2026-34538?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-34538?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST