CVE-2026-30911
Received Received - Intake
Authorization Bypass in Apache Airflow HITL Execution API

Publication date: 2026-03-17

Last updated on: 2026-03-17

Assigner: Apache Software Foundation

Description
Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-17
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-17
EPSS Evaluated
2026-06-14
NVD
CVE-2026-30911
EUVD
EUVD-2026-12566
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache airflow From 3.1.0 (inc) to 3.1.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

I don't know

Impact Analysis

This vulnerability can lead to unauthorized access and manipulation of HITL workflows in Apache Airflow.

Specifically, an authenticated task instance could read sensitive workflow data or approve/reject workflows that it should not have control over.

This could result in incorrect workflow executions, data leaks, or unauthorized changes to task approvals, potentially disrupting business processes or compromising data integrity.

Executive Summary

[{'type': 'paragraph', 'content': "This vulnerability exists in Apache Airflow versions 3.1.0 through 3.1.7 and involves a missing authorization check in the Execution API's Human-in-the-Loop (HITL) endpoints."}, {'type': 'paragraph', 'content': 'It allows any authenticated task instance to read, approve, or reject HITL workflows that belong to other task instances, which should normally be restricted.'}, {'type': 'paragraph', 'content': 'The issue is that the system does not validate that the approval or action on a HITL workflow is coming from the correct task instance.'}] [1]

Compliance Impact

I don't know

Mitigation Strategies

To mitigate this vulnerability, users are recommended to upgrade Apache Airflow to version 3.1.8 or later, where the issue has been resolved.

The fix involves adding task instance validation for Human-in-the-Loop (HITL) approvals to ensure that approvals originate from the correct task instance, preventing unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30911. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart