Cyber Resilience

CVE-2026-30911

High

Published: 17 March 2026

Published
17 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0041 32.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-30911 is a high-severity Missing Authorization (CWE-862) vulnerability in Apache Airflow. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-30911 is a missing authorization vulnerability (CWE-862) affecting Apache Airflow versions 3.1.0 through 3.1.7 in the Execution API's Human-in-the-Loop (HITL) endpoints. This flaw, published on 2026-03-17T11:16:11.940, carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its potential for remote exploitation with low privileges.

An attacker with authentication to any task instance can exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation allows the attacker to read, approve, or reject HITL workflows belonging to any other task instance, leading to unauthorized access to sensitive workflow data (high confidentiality impact) and manipulation of approval processes (high integrity impact) across task instances.

Apache Airflow advisories recommend upgrading to version 3.1.8 or later, which resolves the issue. Further details are provided in the GitHub pull request at https://github.com/apache/airflow/pull/62886, the Apache mailing list thread at https://lists.apache.org/thread/1rs2v7fcko2otl6n9ytthcj87cmsgx51, and the OSS-Security announcement at http://www.openwall.com/lists/oss-security/2026/03/17/2.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance. Users are recommended to upgrade…

more

to Apache Airflow 3.1.8 or later, which resolves this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213 Data from Information Repositories Collection
Adversaries may leverage information repositories to mine valuable information.
Why these techniques?

Missing authorization in network-accessible Airflow Execution API directly enables remote exploitation of a public-facing application (T1190) and unauthorized collection of workflow data from information repositories (T1213).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-66236Same product: Apache Airflow
CVE-2026-42359Same product: Apache Airflow
CVE-2026-41084Same product: Apache Airflow
CVE-2026-32228Same product: Apache Airflow
CVE-2026-40961Same product: Apache Airflow
CVE-2024-56373Same product: Apache Airflow
CVE-2026-33858Same product: Apache Airflow
CVE-2025-68438Same product: Apache Airflow
CVE-2026-42252Same product: Apache Airflow
CVE-2025-54550Same product: Apache Airflow

Affected Assets

apache
airflow
3.1.0 — 3.1.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates enforcement of approved authorizations for logical access, addressing the missing authorization that allows any authenticated task instance to access HITL workflows of others.

prevent

Implements least privilege to restrict task instances to only their own HITL workflows, mitigating broad unauthorized access even if enforcement is partially flawed.

prevent

Requires identification and remediation of flaws like this missing authorization vulnerability through timely upgrades to patched versions such as Airflow 3.1.8.

References