oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2026-22922: Apache Airflow: Airflow externalLogUrl Permission Bypass

From: Ephraim Anierobi <ephraimanierobi () apache org>
Date: Mon, 09 Feb 2026 09:48:01 +0000
Severity: low 

Affected versions:

- Apache Airflow (apache-airflow) 3.1.0 before 3.1.7

Description:

Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with 
custom permissions limited to task access to view task logs without having task log access. 

Users are recommended to upgrade to Apache Airflow 3.1.7 or later, which resolves this issue.

Credit:

34selen (finder)
Shubham Raj (remediation developer)

References:

https://github.com/apache/airflow/pull/60412
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-22922
Previous By Date Next
Previous By Thread Next

Current thread: