Improper access control in Apache Airflow - CVE-2026-41084
Published: June 4, 2026
Vulnerability identifier: #VU133379
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-41084
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Airflow
Apache Airflow
Detailed vulnerability description
The vulnerability allows a remote user to modify Task Instance state across DAG boundaries.
The vulnerability exists due to improper access control in the bulk Task Instances API endpoint when handling PATCH or DELETE requests that include request-body entity fields for dag_id and dag_run_id. A remote user can send a specially crafted API request to modify Task Instance state across DAG boundaries.
This issue affects deployments that rely on per-DAG edit scope to isolate Task Instance state between teams.
How to mitigate CVE-2026-41084
Install security update from vendor's website.