Apache Airflow Vulnerabilities

2 advisories affecting Apache Airflow

2

Total CVEs

0

Critical

2

High

CVE-2026-28779

Mar 17, 2026

High (7.5)

Apache Airflow versions 3.1.0 through 3.1.7 session token (_token) in cookies is set to path=/ regardless of the configured [webserver] base_url or [api] base_url. This allows any application co-hoste...

Read Advisory

CVE-2026-30911

Mar 17, 2026

High (8.1)

Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, ...

Read Advisory

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.