CVE-2026-22922: Apache Airflow Has an Authorization Bypass That Allows Unauthorized Task Log Access

February 9, 2026 (updated February 13, 2026)

Confidentiality Loss: Task logs often contain sensitive operational data, debugging information, or potentially leaked secrets (environment variables, connection strings) that should not be visible to all users with basic task access.
Broken Access Control: This bypasses the intended security model for restricted user roles.

References

github.com/advisories/GHSA-pm44-x5x7-24c4
github.com/apache/airflow
github.com/apache/airflow/pull/60412
lists.apache.org/thread/gdb7vffhpmrj5hp1j0oj1j13o4vmsq40
nvd.nist.gov/vuln/detail/CVE-2026-22922

Code Behaviors & Features

Detect and mitigate CVE-2026-22922 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →