Cyber Resilience

CVE-2026-41084

High

Published: 01 June 2026

Published
01 June 2026
Modified
02 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0046 36.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41084 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Apache Airflow. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A bug in Apache Airflow's bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances`) evaluated authorization against the `dag_id` resolved from the URL path while operating on the `dag_id` / `dag_run_id` extracted from request-body entity fields. An authenticated UI/API user with edit permission…

more

on one Dag could mutate Task Instance state in any other Dag by keeping the authorized Dag's ID in the URL path and naming the target Dag's IDs in the request body entities. Affects deployments that rely on per-Dag edit-scope to keep Task Instance state isolated between teams. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authorization bypass in public-facing bulk Task Instances API (CWE-639) directly enables exploitation of the exposed Airflow endpoint to modify unauthorized DAG resources.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-40961Same product: Apache Airflow
CVE-2026-42359Same product: Apache Airflow
CVE-2025-66236Same product: Apache Airflow
CVE-2026-32228Same product: Apache Airflow
CVE-2026-33858Same product: Apache Airflow
CVE-2025-54550Same product: Apache Airflow
CVE-2026-30911Same product: Apache Airflow
CVE-2026-25917Same product: Apache Airflow
CVE-2024-56373Same product: Apache Airflow
CVE-2025-68438Same product: Apache Airflow

Affected Assets

apache
airflow
3.2.0 — 3.2.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-639

Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.

addresses: CWE-639

Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.

References