CVE-2026-22922

Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log access. Users are recommended to upgrade to Apache Airflow 3.1.7 or later, which resolves this issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/apache/airflow/pull/60412	Issue Tracking Patch
https://lists.apache.org/thread/gdb7vffhpmrj5hp1j0oj1j13o4vmsq40	Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/02/09/2	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-09 11:16

Updated : 2026-02-11 18:30

NVD link : CVE-2026-22922

Mitre link : CVE-2026-22922

CVE.ORG link : CVE-2026-22922

JSON object : View

Products Affected

apache

airflow

CWE

CWE-648

Incorrect Use of Privileged APIs

{"id": "CVE-2026-22922", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-02-09T11:16:13.187", "references": [{"url": "https://github.com/apache/airflow/pull/60412", "tags": ["Issue Tracking", "Patch"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/gdb7vffhpmrj5hp1j0oj1j13o4vmsq40", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2026/02/09/2", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-648"}]}], "descriptions": [{"lang": "en", "value": "Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log access. \n\nUsers are recommended to upgrade to Apache Airflow 3.1.7 or later, which resolves this issue."}, {"lang": "es", "value": "Las versiones 3.1.0 a 3.1.6 de Apache Airflow contienen una falla de autorizaci\u00f3n que puede permitir a un usuario autenticado con permisos personalizados limitados al acceso a tareas ver los registros de tareas sin tener acceso a los registros de tareas.\n\nSe recomienda a los usuarios actualizar a Apache Airflow 3.1.7 o posterior, lo que resuelve este problema."}], "lastModified": "2026-02-11T18:30:44.510", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ECDF2B6E-5E76-479A-A5F5-8A867A5176FB", "versionEndExcluding": "3.1.7", "versionStartIncluding": "3.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}