CVE-2026-30911

Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/apache/airflow/pull/62886	Issue Tracking Patch
https://lists.apache.org/thread/1rs2v7fcko2otl6n9ytthcj87cmsgx51	Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/03/17/2	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-17 11:16

Updated : 2026-03-17 17:32

NVD link : CVE-2026-30911

Mitre link : CVE-2026-30911

CVE.ORG link : CVE-2026-30911

JSON object : View

Products Affected

apache

airflow

CWE

CWE-862

Missing Authorization

{"id": "CVE-2026-30911", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2026-03-17T11:16:11.940", "references": [{"url": "https://github.com/apache/airflow/pull/62886", "tags": ["Issue Tracking", "Patch"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/1rs2v7fcko2otl6n9ytthcj87cmsgx51", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/17/2", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance.\n\n\nUsers are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue."}, {"lang": "es", "value": "Vulnerabilidad por falta de autorizaci\u00f3n en las versiones de Apache Airflow 3.1.0 a 3.1.7 en los endpoints Human-in-the-Loop (HITL) de la API de Ejecuci\u00f3n que permite a cualquier instancia de tarea autenticada leer, aprobar o rechazar flujos de trabajo HITL pertenecientes a cualquier otra instancia de tarea.\n\nSe recomienda a los usuarios actualizar a Apache Airflow 3.1.8 o posterior, lo que resuelve este problema."}], "lastModified": "2026-03-17T17:32:57.580", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58CF9626-1125-48AE-A21E-476602618C14", "versionEndExcluding": "3.1.8", "versionStartIncluding": "3.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}