CVE-2026-41084
Authorization Bypass in Apache Airflow Task Instances API
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | apache_airflow | 3.2.2 |
| apache | airflow | From 3.2.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Role-Based Access Control (RBAC) bypass in Apache Airflow's bulk Task Instances API. The API endpoint evaluates authorization based on the DAG ID in the URL path but operates on DAG and task instance IDs provided in the request body without re-validating access for each referenced DAG. This means an authenticated user with edit permission on one DAG can modify task instances in other DAGs they are not authorized to access by keeping the authorized DAG ID in the URL and specifying other DAG IDs in the request body.
The issue affects deployments that rely on per-DAG edit-scope to isolate Task Instance state between teams. The vulnerability was fixed by adding per-entity DAG authorization checks for each DAG ID in the request body, ensuring users can only modify task instances in DAGs they are authorized to edit.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated user with edit permission on one DAG to modify task instances in other DAGs without proper authorization checks. This cross-DAG Role-Based Access Control (RBAC) bypass can lead to unauthorized data modification across different teams or projects.
Such unauthorized access and modification could potentially violate compliance requirements in standards like GDPR or HIPAA, which mandate strict access controls and data isolation to protect sensitive information and ensure accountability.
Deployments relying on per-DAG edit-scope to isolate task instance state between teams are particularly affected, as this vulnerability breaks that isolation, increasing the risk of unauthorized data exposure or alteration.
Users are advised to upgrade to Apache Airflow version 3.2.2 or later, where per-entity DAG authorization checks have been introduced to mitigate this issue.
How can this vulnerability impact me? :
This vulnerability allows an authenticated user with edit permission on one DAG to modify task instances in other DAGs they should not have access to. This can lead to unauthorized changes in task instance states across different DAGs, potentially disrupting workflows, causing data integrity issues, or interfering with team-specific task management.
Organizations relying on per-DAG edit permissions to isolate task instance state between teams may find that this isolation is broken, leading to cross-team interference and potential operational risks.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are advised to upgrade Apache Airflow to version 3.2.2 or later.
The fix includes per-entity DAG authorization checks to prevent unauthorized modification of task instances across different DAGs.