Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization

GHSA-8x34-9q3v-h7g8 · BIT-airflow-2026-30911 · CVE-2026-30911 · PYSEC-2026-17

Published Mar 17, 2026 · Modified Jun 5, 2026

Description

Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance.

Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-30911
WEB https://github.com/apache/airflow/pull/62886
PACKAGE https://github.com/apache/airflow
WEB https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-17.yaml
WEB https://lists.apache.org/thread/1rs2v7fcko2otl6n9ytthcj87cmsgx51
WEB http://www.openwall.com/lists/oss-security/2026/03/17/2

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes