CVE-2026-41084

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.2.2

Description A bug in the bulk Task Instances API allows an authenticated UI or API user to bypass authorization and mutate Task Instance states across different DAGs. The system evaluates authorization based on the dag id provided in the URL path but performs operations using the dag id and dag run id extracted from the request body. Consequently, a user with edit permissions for one DAG can modify Task Instances in any other DAG by specifying the authorized ID in the URL and the target IDs in the request body. This issue impacts deployments that use per-DAG edit-scope to isolate Task Instance states between teams. The affected endpoint is 'PATCH/DELETE /api/v2/dags/{dag id}/dagRuns/{dag run id}/taskInstances', and the vulnerable variables are dag id and dag run id.

Recommendations Upgrade to version 3.2.2 or later.