CVE-2026-41084 | THREATINT

Description

A bug in Apache Airflow's bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances`) evaluated authorization against the `dag_id` resolved from the URL path while operating on the `dag_id` / `dag_run_id` extracted from request-body entity fields. An authenticated UI/API user with edit permission on one Dag could mutate Task Instance state in any other Dag by keeping the authorized Dag's ID in the URL path and naming the target Dag's IDs in the request body entities. Affects deployments that rely on per-Dag edit-scope to keep Task Instance state isolated between teams. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.

PUBLISHED Reserved 2026-04-16 | Published 2026-06-01 | Updated 2026-06-02 | Assigner apache

Problem types

CWE-639: Authorization Bypass Through User-Controlled Key

Product status

Default status

unaffected

3.2.0 (semver) before 3.2.2

affected

Credits

Pirikara finder

GPK (gopidesupavan) remediation developer

References

www.openwall.com/lists/oss-security/2026/05/31/7

github.com/apache/airflow/pull/64288 patch

lists.apache.org/thread/w0hdcqfr71hf9rl1bwvpjs7q9yp1bldk vendor-advisory

cve.org (CVE-2026-41084)

nvd.nist.gov (CVE-2026-41084)

Download JSON