CVE-2026-30911
Received Received - Intake

Authorization Bypass in Apache Airflow HITL Execution API

Vulnerability report for CVE-2026-30911, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-17

Last updated on: 2026-03-17

Assigner: Apache Software Foundation

Description

Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-17
Last Modified
2026-03-17
Generated
2026-07-06
AI Q&A
2026-03-17
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apache airflow From 3.1.0 (inc) to 3.1.8 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

I don't know

Impact Analysis

This vulnerability can lead to unauthorized access and manipulation of HITL workflows in Apache Airflow.

Specifically, an authenticated task instance could read sensitive workflow data or approve/reject workflows that it should not have control over.

This could result in incorrect workflow executions, data leaks, or unauthorized changes to task approvals, potentially disrupting business processes or compromising data integrity.

Executive Summary

[{'type': 'paragraph', 'content': "This vulnerability exists in Apache Airflow versions 3.1.0 through 3.1.7 and involves a missing authorization check in the Execution API's Human-in-the-Loop (HITL) endpoints."}, {'type': 'paragraph', 'content': 'It allows any authenticated task instance to read, approve, or reject HITL workflows that belong to other task instances, which should normally be restricted.'}, {'type': 'paragraph', 'content': 'The issue is that the system does not validate that the approval or action on a HITL workflow is coming from the correct task instance.'}] [1]

Compliance Impact

I don't know

Mitigation Strategies

To mitigate this vulnerability, users are recommended to upgrade Apache Airflow to version 3.1.8 or later, where the issue has been resolved.

The fix involves adding task instance validation for Human-in-the-Loop (HITL) approvals to ensure that approvals originate from the correct task instance, preventing unauthorized access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30911. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart