Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization
Description
Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance.
Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Airflow 3.1.0–3.1.7 lacks per-task authorization in HITL endpoints, letting any authenticated task read/approve/reject other tasks' workflows.
Vulnerability
Overview
CVE-2026-30911 is a missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL endpoints of Apache Airflow versions 3.1.0 through 3.1.7. The root cause is that the HITL endpoints do not validate whether the requesting task instance is authorized to access, approve, or reject workflows belonging to another task instance. This allows any authenticated task instance to perform actions on HITL workflows of any other task instance [1][2][3].
Exploitation
An attacker who has authenticated access to the Airflow environment can exploit this by sending crafted requests to the HITL endpoints. No special privileges beyond being an authenticated task instance are required. The attack surface is the Execution API's HITL endpoints, which are exposed to authenticated but lack per-task authorization checks [2][3].
Impact
A successful exploit allows an attacker to read, approve, or reject HITL workflows belonging to any other task instance. This could lead to unauthorized approval of malicious workflows or disruption of legitimate workflows, or exposure of sensitive workflow information [2][3].
Mitigation
The issue is fixed in Apache Airflow 3.1.8. Users are strongly recommended to upgrade to this version or later. The fix adds task instance validation to ensure that approval actions come from the correct task, as implemented in pull request #62886 [3][4]. No workarounds have been published.
- GitHub - apache/airflow: Apache Airflow - A platform to programmatically author, schedule, and monitor workflows
- NVD - CVE-2026-30911
- security - CVE-2026-30911: Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization
- Fix: Adds task instance validation for hitl by aritra24 · Pull Request #62886 · apache/airflow
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-airflowPyPI | >= 3.0.0, < 3.1.8 | 3.1.8 |
Affected products
2- Apache Software Foundation/Apache Airflowv5Range: 3.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/apache/airflow/pull/62886ghsapatchWEB
- github.com/advisories/GHSA-8x34-9q3v-h7g8ghsaADVISORY
- lists.apache.org/thread/1rs2v7fcko2otl6n9ytthcj87cmsgx51ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-30911ghsaADVISORY
- www.openwall.com/lists/oss-security/2026/03/17/2ghsaWEB
News mentions
0No linked articles in our index yet.