CVE-2026-30911

HIGH8.1EPSS 0.04%

Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization

Published: 3/17/2026Modified: 5/20/2026

Description

Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

Affected packages (3)

Bitnami/airflow>= 3.1.0, < 3.1.8
PyPI/apache-airflow>= 3.0.0, < 3.1.8
PyPI/apache-airflow>= 3.1.0, < 3.1.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-30911
PATCHhttps://github.com/apache/airflow
WEBhttps://github.com/apache/airflow/pull/62886
WEBhttps://lists.apache.org/thread/1rs2v7fcko2otl6n9ytthcj87cmsgx51
WEBhttp://www.openwall.com/lists/oss-security/2026/03/17/2