CVE-2026-30911

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-30911

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30911.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-30911

Aliases

Downstream

MINI-75r7-jj9g-jcgv

Published

2026-03-17T11:16:11.940Z

Modified

2026-04-02T13:23:40.346692Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance.

Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

References

Affected packages

Git / github.com/apache/airflow

Affected ranges

Type

GIT

Repo

https://github.com/apache/airflow

Events

Introduced

8cdef3e855527b8a431666b0ce9f3ffd43d14955

Fixed

6b42e8020f6d21ca892b0d1dc21c60469fef6e5f

Database specific

{
    "versions": [
        {
            "introduced": "3.1.0"
        },
        {
            "fixed": "3.1.8"
        }
    ]
}

Affected versions

python-client/3.*

python-client/3.1.0

python-client/3.1.0rc1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30911.json"