Unauthorized Task Mutation in Apache Airflow Affects Multiple Deployments
CVE-2026-41084

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-41084?

A flaw in the Apache Airflow's bulk Task Instances API allows an authenticated user with edit permissions on one DAG to manipulate the states of Task Instances in other DAGs. This occurs because the authorization check improperly evaluates the dag_id from the URL instead of the intended request body, leading to potential unauthorized alterations. This vulnerability impacts deployments that utilize specific permissions to isolate Task Instance states among different teams. Users should upgrade to Apache Airflow version 3.2.2 or later to mitigate this issue.

Affected Version(s)

Apache Airflow 3.2.0 < 3.2.2

References

https://github.com/apache/airflow/pull/64288

patch

https://lists.apache.org/thread/w0hdcqfr71hf9rl1bwvpjs7q9...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
Apr 16, 2026

Credit

Pirikara

GPK (gopidesupavan)

CVE-2026-41084 Data

JSON