CVE-2026-46764 - Vulnerability Details - OpenCVE

The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit-log rows directly by numeric ID after only the generic Audit Log permission check, while the collection endpoint `GET /api/v2/eventLogs` applied per-Dag scoping. An authenticated UI/API user with audit-log read permission for one Dag could retrieve audit-log entries for any other Dag by guessing or enumerating the numeric event log ID. Affects deployments that rely on per-Dag audit-log scoping. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/31/14
https://github.com/apache/airflow/pull/67112
https://lists.apache.org/thread/ctrbj7q3m86g4qxmo9ponojgmzrcoqpv

History

Mon, 01 Jun 2026 09:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/31/14

Mon, 01 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit-log rows directly by numeric ID after only the generic Audit Log permission check, while the collection endpoint `GET /api/v2/eventLogs` applied per-Dag scoping. An authenticated UI/API user with audit-log read permission for one Dag could retrieve audit-log entries for any other Dag by guessing or enumerating the numeric event log ID. Affects deployments that rely on per-Dag audit-log scoping. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
Title		Apache Airflow: Event Log detail endpoint bypasses DAG-scoped event log permission filter
Weaknesses		CWE-639
References		https://github.com/apache/airflow/pull/67112 https://lists.apache.org/thread/ctrbj7q3m86g4qxmo9ponojgmzrcoqpv

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-06-01T07:45:48.288Z

Updated: 2026-06-01T07:48:02.639Z

Reserved: 2026-05-18T15:42:29.004Z

Link: CVE-2026-46764

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-01T09:16:20.073

Modified: 2026-06-01T09:16:20.073

Link: CVE-2026-46764

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46764", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-05-18T15:42:29.004Z", "datePublished": "2026-06-01T07:45:48.288Z", "dateUpdated": "2026-06-01T07:48:02.639Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://pypi.python.org", "defaultStatus": "unaffected", "packageName": "apache-airflow", "product": "Apache Airflow", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "3.2.2", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Stoyan Stoyanov Trendafilov (trstoyan), independent security researcher"}, {"lang": "en", "type": "remediation developer", "value": "Pierre Jeambrun (@pierrejeambrun)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit-log rows directly by numeric ID after only the generic Audit Log permission check, while the collection endpoint `GET /api/v2/eventLogs` applied per-Dag scoping. An authenticated UI/API user with audit-log read permission for one Dag could retrieve audit-log entries for any other Dag by guessing or enumerating the numeric event log ID. Affects deployments that rely on per-Dag audit-log scoping. Users are advised to upgrade to `apache-airflow` 3.2.2 or later."}], "value": "The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit-log rows directly by numeric ID after only the generic Audit Log permission check, while the collection endpoint `GET /api/v2/eventLogs` applied per-Dag scoping. An authenticated UI/API user with audit-log read permission for one Dag could retrieve audit-log entries for any other Dag by guessing or enumerating the numeric event log ID. Affects deployments that rely on per-Dag audit-log scoping. Users are advised to upgrade to `apache-airflow` 3.2.2 or later."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-06-01T07:45:48.288Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/apache/airflow/pull/67112"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/ctrbj7q3m86g4qxmo9ponojgmzrcoqpv"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Airflow: Event Log detail endpoint bypasses DAG-scoped event log permission filter", "x_generator": {"engine": "airflow-s/generate_cve_json.py"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/05/31/14"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-06-01T07:48:02.639Z"}}]}}