CVE-2026-30911
Published: 17 March 2026
Summary
CVE-2026-30911 is a high-severity Missing Authorization (CWE-862) vulnerability in Apache Airflow. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates enforcement of approved authorizations for logical access, addressing the missing authorization that allows any authenticated task instance to access HITL workflows of others.
Implements least privilege to restrict task instances to only their own HITL workflows, mitigating broad unauthorized access even if enforcement is partially flawed.
Requires identification and remediation of flaws like this missing authorization vulnerability through timely upgrades to patched versions such as Airflow 3.1.8.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization in network-accessible Airflow Execution API directly enables remote exploitation of a public-facing application (T1190) and unauthorized collection of workflow data from information repositories (T1213).
NVD Description
Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance. Users are recommended to upgrade…
more
to Apache Airflow 3.1.8 or later, which resolves this issue.
Deeper analysisAI
CVE-2026-30911 is a missing authorization vulnerability (CWE-862) affecting Apache Airflow versions 3.1.0 through 3.1.7 in the Execution API's Human-in-the-Loop (HITL) endpoints. This flaw, published on 2026-03-17T11:16:11.940, carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its potential for remote exploitation with low privileges.
An attacker with authentication to any task instance can exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation allows the attacker to read, approve, or reject HITL workflows belonging to any other task instance, leading to unauthorized access to sensitive workflow data (high confidentiality impact) and manipulation of approval processes (high integrity impact) across task instances.
Apache Airflow advisories recommend upgrading to version 3.1.8 or later, which resolves the issue. Further details are provided in the GitHub pull request at https://github.com/apache/airflow/pull/62886, the Apache mailing list thread at https://lists.apache.org/thread/1rs2v7fcko2otl6n9ytthcj87cmsgx51, and the OSS-Security announcement at http://www.openwall.com/lists/oss-security/2026/03/17/2.
Details
- CWE(s)