waltervillarreal opened a new issue, #62684: URL: https://github.com/apache/airflow/issues/62684
### Apache Airflow version 3.1.7 ### If "Other Airflow 3 version" selected, which one? _No response_ ### What happened? There is a critical flaw in the FastAPI backend when retrieving TaskGroup details for the Grid View in the UI. The API queries the database using the run_id but fails to enforce the dag_id filter in the WHERE clause during the resolution of the DAG version and task instances. When two distinct DAGs share the exact same schedule, the scheduler generates identical run_id strings (e.g., scheduled__2026-03-01T04:37:00+00:00) for both executions. When a user clicks on a TaskGroup in the UI for DAG A, the API executes a query like this (captured via postgres -c log_statement=all): ```sql SELECT dag_run.id, dag_run.dag_id, ... FROM dag_run WHERE dag_run.run_id = 'scheduled__2026-03-01T04:37:00+00:00' ``` Notice the missing AND dag_run.dag_id = 'dag_a'. Because dag_id is omitted, the database returns multiple rows (one for DAG A, one for DAG B). The backend arbitrarily picks one result (e.g., DAG B) and then fetches the serialized JSON for the wrong DAG: ```sql SELECT dag_version.id, ... FROM dag_version WHERE dag_version.dag_id = 'bug_tgs_b' ORDER BY dag_version.created_at DESC LIMIT 1 ``` The frontend attempts to map DAG A's TaskGroup into DAG B's serialized schema, fails silently, and returns a 404 Not Found - No Task Instances found error in the UI. <img width="2457" height="756" alt="Image" src="https://github.com/user-attachments/assets/4714bb92-42c0-4b12-8d9c-bc04bcb833d6"; /> Full SQL used by API: ```sql SELECT dag_run.id, dag_run.dag_id, dag_run.queued_at, dag_run.logical_date, dag_run.start_date, dag_run.end_date, dag_run.state, dag_run.run_id, dag_run.creating_job_id, dag_run.run_type, dag_run.triggered_by, dag_run.triggering_user_name, dag_run.conf, dag_run.data_interval_start, dag_run.data_interval_end, dag_run.run_after, dag_run.last_scheduling_decision, dag_run.log_template_id, dag_run.updated_at, dag_run.clear_number, dag_run.backfill_id, dag_run.bundle_version, dag_run.scheduled_by_job_id, dag_run.context_carrier, dag_run.span_status, dag_run.created_dag_version_id FROM dag_run WHERE dag_run.run_id = 'scheduled__2026-03-01T15:37:00+00:00' ``` Return: <img width="2172" height="111" alt="Image" src="https://github.com/user-attachments/assets/93cdb99e-c957-49af-8bc8-90f3f0b41269"; /> ### What you think should happen instead? The FastAPI backend endpoints responsible for resolving task instances and DAG serialization in the Grid View (e.g., when expanding a TaskGroup) must strictly scope their database queries using BOTH `dag_id` and `run_id`. A `run_id` string (like `scheduled__2026-03-01T04:37:00+00:00`) is NOT guaranteed to be globally unique across the entire Airflow database; it is only unique within the context of a specific `dag_id`. Therefore, the API should explicitly enforce `AND dag_id = '<current_dag>'` in the WHERE clause to prevent cross-DAG context bleeding. When this proper isolation is enforced, the TaskGroup should expand normally in the UI, mapping the correct task instances to the correct serialized DAG schema, regardless of identical schedules across multiple DAGs. ### How to reproduce By giving both DAGs a TaskGroup and assigning an isolated schedule, the bug becomes 100% reproducible regardless of database sorting order or peak hours. 1. Create bug_tgs_a.py: ```sql from datetime import datetime from airflow.sdk import dag, TaskGroup from airflow.providers.standard.operators.empty import EmptyOperator @dag(dag_id="bug_tgs_a", start_date=datetime(2026, 1, 1), schedule="37 4 * * *", catchup=False) def tgs_dag_a(): with TaskGroup("group_a"): EmptyOperator(task_id="task_a") tgs_dag_a= tgs_dag_a() ``` 2. Create bug_tgs_b.py: ```sql from datetime import datetime from airflow.sdk import dag, TaskGroup from airflow.providers.standard.operators.empty import EmptyOperator @dag(dag_id="bug_tgs_b", start_date=datetime(2026, 1, 1), schedule="37 4 * * *", catchup=False) def tgs_dag_b(): with TaskGroup("group_b"): EmptyOperator(task_id="task_b") tgs_dag_b= tgs_dag_b() ``` Steps: 1. Drop both files in the dags/ folder. 2. Unpause them and let the scheduler trigger them simultaneously at the scheduled time. 3. Go to the UI and attempt to expand the TaskGroup in both DAGs. 4. Because the API fetches only one dag_version for that shared run_id, one DAG will expand normally, and the other will inevitably throw the 404 error. Expected Behavior: The backend API must explicitly enforce AND dag_id = '<current_dag>' whenever querying runs or task instances by run_id to prevent cross-DAG context bleeding. ### Operating System Docker ### Versions of Apache Airflow Providers a2wsgi==1.10.10 adal==1.2.7 adbc-driver-manager==1.10.0 adbc-driver-postgresql==1.10.0 adbc-driver-sqlite==1.10.0 adlfs==2025.8.0 aiobotocore==3.1.1 aiofiles==24.1.0 aiohappyeyeballs==2.6.1 aiohttp==3.13.3 aiohttp-cors==0.8.1 aioitertools==0.13.0 aiomysql==0.3.2 aiosignal==1.4.0 aiosmtplib==5.1.0 aiosqlite==0.21.0 alembic==1.18.3 amqp==5.3.1 annotated-types==0.7.0 anyio==4.12.1 apache-airflow==3.1.7 apache-airflow-core==3.1.7 apache-airflow-providers-amazon==9.21.0 apache-airflow-providers-apache-hdfs==4.11.3 apache-airflow-providers-apache-impala==1.8.1 apache-airflow-providers-apache-kafka==1.12.0 apache-airflow-providers-celery==3.15.2 apache-airflow-providers-cncf-kubernetes==10.12.3 apache-airflow-providers-common-compat==1.13.0 apache-airflow-providers-common-io==1.7.1 apache-airflow-providers-common-messaging==2.0.2 apache-airflow-providers-common-sql==1.30.4 apache-airflow-providers-discord==3.12.0 apache-airflow-providers-docker==4.5.2 apache-airflow-providers-elasticsearch==6.4.4 apache-airflow-providers-fab==3.2.0 apache-airflow-providers-ftp==3.14.1 apache-airflow-providers-git==0.2.2 apache-airflow-providers-google==19.5.0 apache-airflow-providers-grpc==3.9.2 apache-airflow-providers-hashicorp==4.4.3 apache-airflow-providers-http==5.6.4 apache-airflow-providers-jdbc==5.3.2 apache-airflow-providers-microsoft-azure==12.10.3 apache-airflow-providers-microsoft-mssql==4.2.1 apache-airflow-providers-mysql==6.4.2 apache-airflow-providers-odbc==4.11.1 apache-airflow-providers-openlineage==2.10.1 apache-airflow-providers-oracle==4.4.0 apache-airflow-providers-postgres==6.5.3 apache-airflow-providers-redis==4.4.2 apache-airflow-providers-sendgrid==4.2.1 apache-airflow-providers-sftp==5.7.0 apache-airflow-providers-slack==9.6.2 apache-airflow-providers-smtp==2.4.2 apache-airflow-providers-snowflake==6.9.0 apache-airflow-providers-ssh==4.3.1 apache-airflow-providers-standard==1.10.2 apache-airflow-providers-tableau==4.2.2 apache-airflow-task-sdk==1.1.7 apispec==6.9.0 argcomplete==3.6.3 asgiref==3.11.0 asn1crypto==1.5.1 asyncpg==0.31.0 asyncssh==2.22.0 attrs==25.4.0 Authlib==1.6.6 azure-batch==14.2.0 azure-common==1.1.28 azure-core==1.38.0 azure-cosmos==4.14.5 azure-datalake-store==0.0.53 azure-identity==1.25.1 azure-keyvault-secrets==4.10.0 azure-kusto-data==6.0.1 azure-mgmt-containerinstance==10.1.0 azure-mgmt-containerregistry==14.0.0 azure-mgmt-core==1.6.0 azure-mgmt-cosmosdb==9.9.0 azure-mgmt-datafactory==9.2.0 azure-mgmt-datalake-nspkg==3.0.1 azure-mgmt-datalake-store==0.5.0 azure-mgmt-nspkg==3.0.2 azure-mgmt-resource==24.0.0 azure-mgmt-storage==24.0.0 azure-nspkg==3.0.2 azure-servicebus==7.14.3 azure-storage-blob==12.28.0 azure-storage-file-datalake==12.23.0 azure-storage-file-share==12.24.0 azure-synapse-artifacts==0.21.0 azure-synapse-spark==0.7.0 babel==2.18.0 backoff==2.2.1 bcrypt==5.0.0 beautifulsoup4==4.14.3 billiard==4.2.4 bitarray==3.8.0 bleach==6.3.0 blinker==1.9.0 boto3==1.42.30 botocore==1.42.30 build==1.4.0 cachelib==0.13.0 cachetools==7.0.0 cadwyn==5.4.6 cattrs==25.3.0 celery==5.6.2 certifi==2026.1.4 cffi==2.0.0 chardet==5.2.0 charset-normalizer==3.4.4 click==8.3.1 click-didyoumean==0.3.1 click-plugins==1.1.1.2 click-repl==0.3.0 clickclick==20.10.2 cloudpickle==3.1.1 colorama==0.4.6 colorful==0.5.8 colorlog==6.10.1 confluent-kafka==2.13.0 connexion==2.14.2 contourpy==1.3.3 cron_descriptor==2.0.6 croniter==6.0.0 cryptography==42.0.8 cycler==0.12.1 db-dtypes==1.5.0 decorator==5.2.1 defusedxml==0.7.1 Deprecated==1.3.1 diff_cover==10.2.0 dill==0.4.1 distlib==0.4.0 distro==1.9.0 dnspython==2.8.0 docker==7.1.0 docopt==0.6.2 docstring_parser==0.17.0 durationpy==0.10 elastic-transport==8.17.1 elasticsearch==8.19.3 email-validator==2.3.0 et_xmlfile==2.0.0 eventlet==0.40.4 fastapi==0.117.1 fastapi-cli==0.0.20 fastavro==1.12.1 fastuuid==0.14.0 filelock==3.20.3 Flask==2.2.5 Flask-AppBuilder==5.0.1 flask-babel==4.0.0 Flask-JWT-Extended==4.7.1 Flask-Limiter==3.12 Flask-Login==0.6.3 Flask-Session==0.8.0 Flask-SQLAlchemy==3.1.1 Flask-WTF==1.2.2 flower==2.0.1 fonttools==4.61.1 frozenlist==1.8.0 fsspec==2026.1.0 gcloud-aio-auth==5.4.2 gcloud-aio-bigquery==7.1.0 gcloud-aio-storage==9.6.1 gcsfs==2026.1.0 gevent==25.9.1 gitdb==4.0.12 GitPython==3.1.46 google-ads==29.0.0 google-analytics-admin==0.27.0 google-api-core==2.29.0 google-api-python-client==2.188.0 google-auth==2.48.0 google-auth-httplib2==0.3.0 google-auth-oauthlib==1.2.4 google-cloud-aiplatform==1.135.0 google-cloud-alloydb==0.7.0 google-cloud-appengine-logging==1.8.0 google-cloud-audit-log==0.4.0 google-cloud-automl==2.18.1 google-cloud-batch==0.20.0 google-cloud-bigquery==3.40.0 google-cloud-bigquery-datatransfer==3.21.0 google-cloud-bigquery-storage==2.36.0 google-cloud-bigtable==2.35.0 google-cloud-build==3.35.0 google-cloud-compute==1.43.0 google-cloud-container==2.63.0 google-cloud-core==2.5.0 google-cloud-datacatalog==3.29.0 google-cloud-dataflow-client==0.11.0 google-cloud-dataform==0.8.0 google-cloud-dataplex==2.16.0 google-cloud-dataproc==5.24.0 google-cloud-dataproc-metastore==1.21.0 google-cloud-dlp==3.34.0 google-cloud-kms==3.10.0 google-cloud-language==2.19.0 google-cloud-logging==3.13.0 google-cloud-managedkafka==0.3.0 google-cloud-memcache==1.14.0 google-cloud-monitoring==2.29.0 google-cloud-orchestration-airflow==1.19.0 google-cloud-os-login==2.19.0 google-cloud-pubsub==2.34.0 google-cloud-redis==2.20.0 google-cloud-resource-manager==1.16.0 google-cloud-run==0.15.0 google-cloud-secret-manager==2.26.0 google-cloud-spanner==3.62.0 google-cloud-speech==2.36.0 google-cloud-storage==3.9.0 google-cloud-storage-control==1.9.0 google-cloud-storage-transfer==1.19.0 google-cloud-tasks==2.21.0 google-cloud-texttospeech==2.34.0 google-cloud-translate==3.24.0 google-cloud-videointelligence==2.18.0 google-cloud-vision==3.12.0 google-cloud-workflows==1.20.0 google-crc32c==1.8.0 google-genai==1.61.0 google-resumable-media==2.8.0 googleapis-common-protos==1.72.0 graphviz==0.21 greenback==1.3.0 greenlet==3.3.1 grpc-google-iam-v1==0.14.3 grpc-interceptor==0.15.4 grpcio==1.65.5 grpcio-gcp==0.2.2 grpcio-status==1.62.3 gspread==6.2.1 gssapi==1.11.1 h11==0.16.0 h2==4.3.0 hdfs==2.7.3 hf-xet==1.2.0 hpack==4.1.0 httpcore==1.0.9 httplib2==0.22.0 httptools==0.7.1 httpx==0.28.1 huggingface_hub==1.3.7 humanize==4.15.0 hvac==2.4.0 hyperframe==6.1.0 idna==3.11 ijson==3.4.0.post0 immutabledict==4.2.2 importlib_metadata==8.4.0 importlib_resources==6.5.2 impyla==0.22.0 inflection==0.5.1 iniconfig==2.3.0 isodate==0.7.2 itsdangerous==2.2.0 JayDeBeApi==1.2.3 Jinja2==3.1.6 jira==3.10.5 jiter==0.13.0 jmespath==0.10.0 joblib==1.5.3 jpype1==1.6.0 jsonpath-ng==1.7.0 jsonschema==4.26.0 jsonschema-specifications==2025.9.1 kiwisolver==1.4.9 kombu==5.6.2 krb5==0.9.0 kubernetes==35.0.0 kubernetes_asyncio==34.3.3 lazy-object-proxy==1.12.0 libcst==1.8.6 limits==5.6.0 linkify-it-py==2.0.3 litellm==1.81.6 lockfile==0.12.2 looker_sdk==26.0.0 lxml==6.0.2 Mako==1.3.10 markdown-it-py==4.0.0 MarkupSafe==3.0.3 marshmallow==3.26.2 marshmallow-sqlalchemy==1.4.2 matplotlib==3.10.8 mdurl==0.1.2 methodtools==0.4.7 microsoft-kiota-abstractions==1.9.8 microsoft-kiota-authentication-azure==1.9.8 microsoft-kiota-http==1.9.8 microsoft-kiota-serialization-json==1.9.8 microsoft-kiota-serialization-text==1.9.8 mmh3==5.2.0 more-itertools==10.8.0 msal==1.34.0 msal-extensions==1.3.1 msgpack==1.1.2 msgraph-core==1.3.8 msgraphfs==0.4 msgspec==0.20.0 msrest==0.7.1 msrestazure==0.6.4.post1 multidict==6.7.1 mysql-connector-python==9.5.0 mysqlclient==2.2.7 natsort==8.4.0 networkx==3.6.1 numpy==2.4.2 oauthlib==3.3.1 openai==2.16.0 opencensus==0.11.4 opencensus-context==0.1.3 openlineage-integration-common==1.43.0 openlineage-python==1.43.0 openlineage_sql==1.43.0 openpyxl==3.1.5 opentelemetry-api==1.27.0 opentelemetry-exporter-otlp==1.27.0 opentelemetry-exporter-otlp-proto-common==1.27.0 opentelemetry-exporter-otlp-proto-grpc==1.27.0 opentelemetry-exporter-otlp-proto-http==1.27.0 opentelemetry-exporter-prometheus==0.48b0 opentelemetry-proto==1.27.0 opentelemetry-resourcedetector-gcp==1.9.0a0 opentelemetry-sdk==1.27.0 opentelemetry-semantic-conventions==0.48b0 oracledb==3.4.2 ordered-set==4.1.0 outcome==1.3.0.post0 packaging==26.0 pandas==2.3.3 pandas-gbq==0.33.0 paramiko==3.5.1 pathspec==1.0.4 pendulum==3.2.0 pillow==12.1.1 pip==26.0 platformdirs==4.5.1 pluggy==1.6.0 ply==3.11 prison==0.2.1 prometheus_client==0.24.1 prompt_toolkit==3.0.52 propcache==0.4.1 proto-plus==1.27.1 protobuf==4.25.8 psutil==7.2.2 psycopg2-binary==2.9.11 pure-sasl==0.6.2 py-spy==0.4.1 pyarrow==18.1.0 pyasn1==0.6.2 pyasn1_modules==0.4.2 PyAthena==3.26.0 pycparser==3.0 pycryptodome==3.23.0 pydantic==2.12.5 pydantic_core==2.41.5 pydata-google-auth==1.9.1 Pygments==2.19.2 pygtrie==2.5.0 PyJWT==2.11.0 pymssql==2.3.13 PyMySQL==1.1.2 PyNaCl==1.6.2 pyodbc==5.3.0 pyOpenSSL==25.1.0 pyparsing==3.3.2 pypdf==3.16.4 pyproject_hooks==1.2.0 pyspnego==0.12.0 pytest==9.0.2 python-daemon==3.1.2 python-dateutil==2.9.0.post0 python-dotenv==1.2.1 python-http-client==3.3.7 python-ldap==3.4.5 python-multipart==0.0.22 python-slugify==8.0.4 pytz==2025.2 PyYAML==6.0.3 ray==2.47.1 redis==6.4.0 redshift-connector==2.1.7 referencing==0.37.0 regex==2026.1.15 requests==2.32.5 requests-kerberos==0.15.0 requests-oauthlib==2.0.0 requests-toolbelt==1.0.0 rich==13.9.4 rich-argparse==1.7.2 rich-toolkit==0.18.1 rpds-py==0.30.0 rsa==4.9.1 ruamel.yaml==0.19.1 rustworkx==0.17.1 s3transfer==0.16.0 sagemaker_studio==1.0.23 scikit-learn==1.8.0 scipy==1.17.0 scramp==1.4.8 sendgrid==6.11.0 setproctitle==1.3.7 setuptools==80.10.2 shellingham==1.5.4 six==1.17.0 slack_sdk==3.39.0 smart_open==7.5.0 smmap==5.0.2 sniffio==1.3.1 snowflake-connector-python==4.0.0 snowflake-snowpark-python==1.45.0 snowflake-sqlalchemy==1.8.2 sortedcontainers==2.4.0 soupsieve==2.8.3 SQLAlchemy==2.0.46 sqlalchemy-bigquery==1.16.0 SQLAlchemy-JSONField==1.0.2 sqlalchemy-spanner==1.17.2 SQLAlchemy-Utils==0.42.1 sqlfluff==4.0.4 sqllineage==1.5.7 sqlparse==0.5.5 sshtunnel==0.4.0 starkbank-ecdsa==2.2.0 starlette==0.48.0 statsd==4.0.1 std-uritemplate==2.0.8 structlog==25.5.0 svcs==25.1.0 table2ascii==1.2.0 tableau-api-lib==0.1.50 tableauserverclient==0.28 tabulate==0.9.0 tblib==3.2.2 tenacity==9.1.2 teradatasql==20.0.0.52 termcolor==3.3.0 text-unidecode==1.3 threadpoolctl==3.6.0 thrift==0.16.0 thrift-sasl==0.4.3 tiktoken==0.12.0 tokenizers==0.22.2 tomlkit==0.14.0 tornado==6.5.4 tqdm==4.67.2 typeguard==4.5.1 typer==0.21.1 typer-slim==0.21.1 types-protobuf==6.32.1.20251210 typing_extensions==4.15.0 typing-inspection==0.4.2 tzdata==2025.3 tzlocal==5.3.1 uc-micro-py==1.0.3 Unidecode==1.4.0 universal_pathlib==0.2.6 uritemplate==4.2.0 urllib3==2.0.6 uuid6==2025.0.1 uv==0.9.29 uvicorn==0.40.0 uvloop==0.22.1 vine==5.1.0 virtualenv==20.36.1 watchfiles==1.1.1 watchtower==3.4.0 wcwidth==0.5.3 webencodings==0.5.1 websocket-client==1.9.0 websockets==15.0.1 Werkzeug==2.2.3 wheel==0.46.3 wirerope==1.0.0 wrapt==2.1.1 WTForms==3.2.1 yarl==1.22.0 zipp==3.23.0 zope.event==6.1 zope.interface==8.2 ### Deployment Docker-Compose ### Deployment details _No response_ ### Anything else? _No response_ ### Are you willing to submit PR? - [ ] Yes I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
