Homepage

Exposure of Resource to Wrong Sphere Affecting airflow-3-advanced-compat package, versions <3.2.0-r0

Severity

 Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.04% (13th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-MINIMOSLATEST-AIRFLOW3ADVANCEDCOMPAT-16035629
  • published14 Apr 2026
  • disclosed9 Apr 2026
Report a new vulnerability Found a mistake?

Introduced: 9 Apr 2026

NewCVE-2026-34538  (opens in a new tab)
CWE-668  (opens in a new tab)

How to fix?

Upgrade Minimos:latest airflow-3-advanced-compat to version 3.2.0-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream airflow-3-advanced-compat package and not the airflow-3-advanced-compat package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with the security model documentation that defines the Viewer role as read-only.

Airflow uses the FAB Auth Manager to manage access control on a per-resource basis. The Viewer role is intended to be read-only by default, and the security model documentation defines Viewer users as those who can inspect DAGs without accessing sensitive execution results.

Users are recommended to upgrade to Apache Airflow 3.2.0 which resolves this issue.