CVE-2026-41084

Published: Giu 01, 2026 Last Modified: Giu 01, 2026
ExploitDB:
Other exploit source:
Google Dorks:

Description

AI Translation Available

A bug in Apache Airflow's bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances`) evaluated authorization against the `dag_id` resolved from the URL path while operating on the `dag_id` / `dag_run_id` extracted from request-body entity fields. An authenticated UI/API user with edit permission on one Dag could mutate Task Instance state in any other Dag by keeping the authorized Dag's ID in the URL path and naming the target Dag's IDs in the request body entities. Affects deployments that rely on per-Dag edit-scope to keep Task Instance state isolated between teams. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.

639

Authorization Bypass Through User-Controlled Key

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control
Potential Impacts:
Bypass Protection Mechanism Gain Privileges Or Assume Identity
Applicable Platforms
All platforms may be affected
Likelihood of Exploit: High
View CWE Details
http://www.openwall.com/lists/oss-security/2026/05/31/7
http://www.openwall.com/lists/oss-security/2026/05/31/7
https://github.com/apache/airflow/pull/64288
https://github.com/apache/airflow/pull/64288
https://lists.apache.org/thread/w0hdcqfr71hf9rl1bwvpjs7q9yp…
https://lists.apache.org/thread/w0hdcqfr71hf9rl1bwvpjs7q9yp1bldk