oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2026-30911: Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization

From: Rahul Vats <rahulvats () apache org>
Date: Tue, 17 Mar 2026 06:21:43 +0000
Severity: low 

Affected versions:

- Apache Airflow (apache-airflow) 3.1.0 before 3.1.8

Description:

Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's 
Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL 
workflows belonging to any other task instance.


Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

Credit:

Kai Aizen (finder)
Aritra Basu (remediation developer)

References:

https://github.com/apache/airflow/pull/62886
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-30911
Previous By Date Next
Previous By Thread Next

Current thread: