Description
Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance.


Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.
Published: 2026-03-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to HITL Workflows
Action: Patch
AI Analysis

Impact

This vulnerability arises from missing per‑task authorization checks in Apache Airflow’s Execution API Human‑in‑the‑Loop endpoints. Because the API does not enforce task ownership, any authenticated task instance can read, approve, or reject HITL workflows belonging to other task instances. The primary consequence is unauthorized control and potential manipulation of workflows, which compromises the integrity of task orchestration and may expose sensitive workflow data. The weakness is classified as CWE‑862: Missing Authorization.

Affected Systems

Affected versions are Apache Airflow 3.1.0 through 3.1.7. All deployments running any of these releases are susceptible, regardless of the environment or scale. The issue is not limited to a specific operating system or distribution; it applies to the core Airflow application as distributed by the Apache Software Foundation.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. While the EPSS score is less than 1% and the vulnerability is not listed in the CISA KEV catalog, the presence of the bug and its impact on workflow integrity make it a real risk for environments that rely on HITL for critical operations. Exploitation requires only an authenticated user on the system, and the attack vector is effectively remote via the Execution API. The recommended remedy is to upgrade to version 3.1.8 or later, which removes the missing authorization checks.

Generated by OpenCVE AI on March 17, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Airflow to version 3.1.8 or later.

Generated by OpenCVE AI on March 17, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8x34-9q3v-h7g8 Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization
History

Tue, 17 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow
CPEs cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache airflow

Tue, 17 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
References

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Description Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.
Title Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization
Weaknesses CWE-862
References

Subscriptions

Apache Airflow
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-03-17T13:42:05.272Z

Reserved: 2026-03-07T13:31:56.372Z

Link: CVE-2026-30911

cve-icon Vulnrichment

Updated: 2026-03-17T13:32:05.270Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T11:16:11.940

Modified: 2026-03-17T17:32:57.580

Link: CVE-2026-30911

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:24Z

Weaknesses