CVE-2026-30911HIGH 8.1EPSS p32.5%

CVE-2026-30911CVE-2026-30911

Description

Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS0.41% probability of exploitation · percentile 32.5% · 2026-06-19T12:03:05Z
Published2026-03-17
Last modified2026-03-17

Underlying weaknesses· 1

CWE-862

References

  1. https://github.com/apache/airflow/pull/62886
  2. https://lists.apache.org/thread/1rs2v7fcko2otl6n9ytthcj87cmsgx51
  3. http://www.openwall.com/lists/oss-security/2026/03/17/2

1

TypeTargetConfidenceTier
WeaknessMissing Authorizationcwe-8620%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41084
CVE
CVE-2026-40963
CVE
CVE-2026-41014
CVE
Apache Airflow's Experimental API Authentication Bypass
CVE
CVE-2026-40961
CVE
CVE-2026-30898
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.