Apache Airflow: Airflow externalLogUrl Permission Bypass
Description
Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log access.
Users are recommended to upgrade to Apache Airflow 3.1.7 or later, which resolves this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Airflow 3.1.0-3.1.6 has an authorization flaw allowing users with task access to view task logs without proper log access permissions.
Vulnerability
Details
CVE-2026-22922 is an authorization flaw in Apache Airflow versions 3.1.0 through 3.1.6. The root cause is an incorrect access control check that permits an authenticated user with custom permissions limited to task access to view task logs without having explicit task log access [2]. This bypasses the intended permission model where task log access should be a separate privilege.
Exploitation
An attacker must be an authenticated user in Airflow with custom permissions that grant task access (e.g., the ability to run or view tasks). No additional authentication bypass is required; the flaw lies in how the system evaluates permissions when serving task logs [2]. The attack surface is the Airflow web interface or API endpoints that expose task logs.
Impact
Successful exploitation allows the attacker to read task logs that they are not authorized to see. Task logs may contain sensitive information such as credentials, API keys, or business data, leading to information disclosure and potential lateral movement within the environment [2].
Mitigation
The issue is fixed in Apache Airflow 3.1.7 [2]. The fix was implemented in pull request #60412, which corrected the access control logic for external log URLs [3]. Users are strongly advised to upgrade to version 3.1.7 or later. No workarounds have been provided.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-airflowPyPI | >= 3.1.0, < 3.1.7 | 3.1.7 |
Affected products
2- Apache Software Foundation/Apache Airflowv5Range: 3.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/apache/airflow/pull/60412ghsapatchWEB
- github.com/advisories/GHSA-pm44-x5x7-24c4ghsaADVISORY
- lists.apache.org/thread/gdb7vffhpmrj5hp1j0oj1j13o4vmsq40ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-22922ghsaADVISORY
News mentions
0No linked articles in our index yet.