CVE-2026-41084
Published:June 01, 2026
Updated:June 07, 2026
A bug in Apache Airflow's bulk Task Instances API ("PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances") evaluated authorization against the "dag_id" resolved from the URL path while operating on the "dag_id" / "dag_run_id" extracted from request-body entity fields. An authenticated UI/API user with edit permission on one Dag could mutate Task Instance state in any other Dag by keeping the authorized Dag's ID in the URL path and naming the target Dag's IDs in the request body entities. Affects deployments that rely on per-Dag edit-scope to keep Task Instance state isolated between teams. Users are advised to upgrade to "apache-airflow" 3.2.2 or later.
Affected Packages
apache-airflow (CONDA):
Affected version(s) >=2.0.1 <3.2.2Fix Suggestion:
Update to version 3.2.2https://github.com/apache/airflow.git (GITHUB):
Affected version(s) >=airbnb_prod.1.6.1.0 <3.2.2Fix Suggestion:
Update to version 3.2.2apache-airflow (PYTHON):
Affected version(s) >=1.8.1 <3.2.2Fix Suggestion:
Update to version 3.2.2Related Resources (3)
Do you need more information?
Contact UsCVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Authorization Bypass Through User-Controlled Key
EPSS
Base Score:
0.08