CVE-2026-30911
Authorization Bypass in Apache Airflow HITL Execution API
Publication date: 2026-03-17
Last updated on: 2026-03-17
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | airflow | From 3.1.0 (inc) to 3.1.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access and manipulation of HITL workflows in Apache Airflow.
Specifically, an authenticated task instance could read sensitive workflow data or approve/reject workflows that it should not have control over.
This could result in incorrect workflow executions, data leaks, or unauthorized changes to task approvals, potentially disrupting business processes or compromising data integrity.
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "This vulnerability exists in Apache Airflow versions 3.1.0 through 3.1.7 and involves a missing authorization check in the Execution API's Human-in-the-Loop (HITL) endpoints."}, {'type': 'paragraph', 'content': 'It allows any authenticated task instance to read, approve, or reject HITL workflows that belong to other task instances, which should normally be restricted.'}, {'type': 'paragraph', 'content': 'The issue is that the system does not validate that the approval or action on a HITL workflow is coming from the correct task instance.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are recommended to upgrade Apache Airflow to version 3.1.8 or later, where the issue has been resolved.
The fix involves adding task instance validation for Human-in-the-Loop (HITL) approvals to ensure that approvals originate from the correct task instance, preventing unauthorized access.