Auth bypass in Apache Software Foundation Airflow

CVE-2026-30911

Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to a…

Vulnerability class: Broken Access Control

EPSS: 0.000 (13.5th percentile) — read the EPSS interpretation.