CVE-2026-30911

CWE-862 — Missing Authorization5 documents5 sources

Severity

8.1HIGH

EPSS

0.0%

top 87.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedMar 17

Description

Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages3 packages

▶NVDapache/airflow3.1.0 — 3.1.8

▶PyPIapache-airflow3.0.0 — 3.1.8

▶CVEListV5apache_software_foundation/apache_airflow3.1.0 — 3.1.8

Patches

Patch: github.com ↗

🔴Vulnerability Details

CVEList

Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization↗2026-03-17

▶

GHSA

Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization↗2026-03-17

▶

OSV

Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization↗2026-03-17

▶

🕵️Threat Intelligence

Wiz

CVE-2026-30911 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶