CVE-2026-30911: Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization

March 17, 2026 (updated March 18, 2026)

Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API’s Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance.

Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

References

github.com/advisories/GHSA-8x34-9q3v-h7g8
github.com/apache/airflow
github.com/apache/airflow/pull/62886
lists.apache.org/thread/1rs2v7fcko2otl6n9ytthcj87cmsgx51
nvd.nist.gov/vuln/detail/CVE-2026-30911

Code Behaviors & Features

Detect and mitigate CVE-2026-30911 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →