Primary

Context

Apache Airflow Authorization Vulnerability in Execution API Human-in-the-Loop Endpoints

Vulnerability

Patched

An authorization vulnerability has been identified in Apache Airflow versions 3.1.0 through 3.1.7. This vulnerability exists in the Execution API's Human-in-the-Loop (HITL) endpoints, where any authenticated task instance can read, approve, or reject HITL workflows of other task instances. The issue arises from insufficient authorization checks, allowing unauthorized access to HITL workflow management.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of HITL workflows, including reading, approving, or rejecting workflows belonging to other task instances.

Remediation

Users are advised to upgrade to Apache Airflow version 3.1.8 or later, which addresses this vulnerability.

Added: Mar 17, 2026, 11:24 AM

Updated: Mar 17, 2026, 11:24 AM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

1.3

exploitability

5.2

remediation

7.7

relevance

4.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

1.3

exploitability

5.2

remediation

7.7

relevance

4.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Airflow Authorization Vulnerability in Execution API Human-in-the-Loop Endpoints

Vulnerability

Impact

Remediation

Affected Products

Apache Airflow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating