CVE-2026-30911

HIGH8.1EPSS 0.04%

Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization

發布日:2026/3/17修改日:2026/5/20

也稱為:GHSA-8x34-9q3v-h7g8BIT-airflow-2026-30911PYSEC-2026-17

描述

Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

受影響套件(3)

Bitnami/airflow>= 3.1.0, < 3.1.8
PyPI/apache-airflow>= 3.0.0, < 3.1.8
PyPI/apache-airflow>= 3.1.0, < 3.1.8

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-30911
PATCHhttps://github.com/apache/airflow
WEBhttps://github.com/apache/airflow/pull/62886
WEBhttps://lists.apache.org/thread/1rs2v7fcko2otl6n9ytthcj87cmsgx51
WEBhttp://www.openwall.com/lists/oss-security/2026/03/17/2