Platform
python
Component
apache-airflow
Fixed in
3.2.0
3.2.0
CVE-2026-34538 is a security vulnerability affecting Apache Airflow versions 3.0.0 through 3.1.8. This issue allows users with DAG Run read permissions, such as those with the Viewer role, to access XCom result values, which they should not be able to. This bypasses the intended access control mechanisms of the FAB RBAC model and conflicts with Airflow's security documentation. A fix is available in version 3.2.0.
The primary impact of CVE-2026-34538 is the unauthorized exposure of sensitive data stored within XComs. XComs are used to exchange task instances in Airflow, and often contain critical information such as database credentials, API keys, or other confidential data. Attackers exploiting this vulnerability could gain access to this data by leveraging their existing DAG Run read permissions, effectively bypassing the intended security boundaries. This could lead to data breaches, unauthorized access to downstream systems, and potential compromise of the entire Airflow environment. The blast radius extends to any system or service that relies on the data exchanged through XComs.
CVE-2026-34538 was publicly disclosed on 2026-04-09. Currently, there are no known public proof-of-concept exploits available. The vulnerability's severity is rated as Medium, suggesting a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog. Active campaigns targeting this vulnerability are not yet confirmed, but the ease of exploitation warrants close monitoring.
Exploit Status
EPSS
0.04% (12% percentile)
CVSS Vector
The recommended mitigation for CVE-2026-34538 is to upgrade Apache Airflow to version 3.2.0 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing temporary workarounds. One approach is to restrict access to the DagRun wait endpoint using network-level firewalls or access control lists (ACLs), limiting access to only authorized users and services. Additionally, review and tighten the permissions granted to the Viewer role, ensuring it adheres strictly to the read-only principles outlined in the Airflow security documentation. After upgrading, confirm the fix by attempting to access XCom values with a user account possessing only DAG Run read permissions; access should be denied.
Update Apache Airflow to version 3.2.0 or later to resolve the vulnerability. This update corrects the XCom exposure issue by preventing DagRun read-only permission users from accessing XCom results, which contradicts the FAB RBAC (Role-Based Access Control) model.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34538 is a medium-severity vulnerability in Apache Airflow versions 3.0.0 through 3.1.8 that allows unauthorized users with DAG Run read permissions to access XCom values, bypassing access controls.
You are affected if you are running Apache Airflow versions 3.0.0 through 3.1.8 and have users with DAG Run read permissions.
Upgrade Apache Airflow to version 3.2.0 or later to remediate the vulnerability. Consider temporary workarounds like restricting access to the DagRun wait endpoint if immediate upgrade is not possible.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants monitoring.
Refer to the Apache Airflow security advisories page for the official announcement and details: [https://airflow.apache.org/security/](https://airflow.apache.org/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.