Executive Summary

This vulnerability is a Role-Based Access Control (RBAC) bypass in Apache Airflow's bulk Task Instances API. The API endpoint evaluates authorization based on the DAG ID in the URL path but operates on DAG and task instance IDs provided in the request body without re-validating access for each referenced DAG. This means an authenticated user with edit permission on one DAG can modify task instances in other DAGs they are not authorized to access by keeping the authorized DAG ID in the URL and specifying other DAG IDs in the request body.

The issue affects deployments that rely on per-DAG edit-scope to isolate Task Instance state between teams. The vulnerability was fixed by adding per-entity DAG authorization checks for each DAG ID in the request body, ensuring users can only modify task instances in DAGs they are authorized to edit.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated user with edit permission on one DAG to modify task instances in other DAGs they should not have access to. This can lead to unauthorized changes in task instance states across different DAGs, potentially disrupting workflows, causing data integrity issues, or interfering with team-specific task management.

Organizations relying on per-DAG edit permissions to isolate task instance state between teams may find that this isolation is broken, leading to cross-team interference and potential operational risks.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, users are advised to upgrade Apache Airflow to version 3.2.2 or later.

The fix includes per-entity DAG authorization checks to prevent unauthorized modification of task instances across different DAGs.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an authenticated user with edit permission on one DAG to modify task instances in other DAGs without proper authorization checks. This cross-DAG Role-Based Access Control (RBAC) bypass can lead to unauthorized data modification across different teams or projects.

Such unauthorized access and modification could potentially violate compliance requirements in standards like GDPR or HIPAA, which mandate strict access controls and data isolation to protect sensitive information and ensure accountability.

Deployments relying on per-DAG edit-scope to isolate task instance state between teams are particularly affected, as this vulnerability breaks that isolation, increasing the risk of unauthorized data exposure or alteration.

Users are advised to upgrade to Apache Airflow version 3.2.2 or later, where per-entity DAG authorization checks have been introduced to mitigate this issue.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves an authorization bypass in Apache Airflow's bulk Task Instances API, where an authenticated user with edit permission on one DAG can modify task instances in other DAGs by manipulating the request body while keeping the authorized DAG's ID in the URL path.

To detect exploitation attempts on your system or network, you should monitor API requests to the bulk Task Instances endpoint, specifically PATCH or DELETE requests to paths like /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances.

Look for requests where the URL path contains a DAG ID that the user is authorized to edit, but the request body contains different DAG IDs for task instances. Such mismatches indicate attempts to exploit the vulnerability.

Suggested commands to detect suspicious activity include:

• Using network traffic capture tools (e.g., tcpdump or Wireshark) to filter HTTP PATCH or DELETE requests to the affected API endpoint.
• Example tcpdump command to capture relevant HTTP traffic: tcpdump -i any -A 'tcp port 8080 and (((tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x50415443) or (tcp[((tcp[12:1] & 0xf0) >> 2):6] = 0x44454c455445)) and (tcp[((tcp[12:1] & 0xf0) >> 2)+5:5] = "/api/") )'
• Parsing web server logs (e.g., Apache or Nginx access logs) for PATCH or DELETE requests to /api/v2/dags/*/dagRuns/*/taskInstances and inspecting request bodies for DAG ID mismatches.
• Using custom scripts or log analysis tools to extract and compare the DAG ID in the URL path against the DAG IDs in the request body to identify unauthorized cross-DAG modifications.

Since the vulnerability requires authenticated users with edit permissions, reviewing user activity logs and API audit logs for unusual task instance state changes across DAGs can also help detect exploitation.

Useful 0 Not Useful 0