PYSEC-2026-17

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2026-17.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-17
Aliases
Published
2026-03-17T11:16:11.940Z
Modified
2026-06-10T17:00:26.879320424Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance.

Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

References

Affected packages

PyPI / apache-airflow

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.0
Fixed
3.1.8

Affected versions

3.*
3.1.0
3.1.1rc1
3.1.1rc2
3.1.1
3.1.2rc1
3.1.2rc2
3.1.2
3.1.3rc1
3.1.3
3.1.4rc1
3.1.4rc2
3.1.4
3.1.5rc1
3.1.5
3.1.6rc1
3.1.6
3.1.7rc1
3.1.7rc2
3.1.7
3.1.8rc1
3.1.8rc2

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2026-17.yaml"