CVE-2026-30911

Name of the Vulnerable Software and Affected Versions Apache Airflow versions 3.1.0 through 3.1.7

Description Apache Airflow versions 3.1.0 through 3.1.7 contain a missing authorization issue within the Human-in-the-Loop (HITL) endpoints of the Execution API. This allows any authenticated task instance to perform actions—reading, approving, or rejecting—on HITL workflows belonging to other task instances. The HITL endpoints are part of the Execution API, which manages the execution of tasks within Airflow workflows. The issue stems from a lack of proper access controls, enabling unauthorized access and manipulation of HITL workflows.

Recommendations Upgrade to Apache Airflow version 3.1.8 or later.