Home / Vulnerability Intelligence / CVE-2026-30911

CVE-2026-30911 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 17, 2026

Apache Airflow - Broken Access Control

Published: March 17, 2026Updated: March 17, 2026Remote Exploitable

Overview

Apache Airflow 3.1.0 through 3.1.7 contains a broken access control vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints, letting any authenticated task instance read, approve, or reject HITL workflows of other task instances, exploit requires authentication as a task instance.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 3.8%(Probability of exploitation in next 30 days)

Impact

Authenticated task instances can manipulate or view HITL workflows of other tasks, leading to unauthorized workflow control.

Mitigation

Upgrade to Apache Airflow 3.1.8 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 17, 2026

🟠 CVE-2026-30911 - High (8.1) Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-30911/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-30911
Severity: High
CVSS Score: 8.1
Type: broken_access_control
Status: confirmed
EPSS: 3.8%
Social Posts: 1

CWE

CWE-862

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score

3.8%Probability of exploitation in the next 30 days