CVE-2026-22922

CWE-6485 documents5 sources

Severity

6.5MEDIUM

EPSS

0.0%

top 90.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedFeb 9

Description

Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log access. Users are recommended to upgrade to Apache Airflow 3.1.7 or later, which resolves this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDapache/airflow3.1.0 — 3.1.7

▶PyPIapache-airflow3.1.0 — 3.1.7

▶CVEListV5apache_software_foundation/apache_airflow3.1.0 — 3.1.7

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

Apache Airflow Has an Authorization Bypass That Allows Unauthorized Task Log Access↗2026-02-09

▶

CVEList

Apache Airflow: Airflow externalLogUrl Permission Bypass↗2026-02-09

▶

OSV

Apache Airflow Has an Authorization Bypass That Allows Unauthorized Task Log Access↗2026-02-09

▶

🕵️Threat Intelligence

Wiz

CVE-2026-22922 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶