CVE-2026-22922 – Apache Airflow versions 3.1.0 through 3.1.6 con... (How to Fix)

Q: What is the severity of CVE-2026-22922?

CVE-2026-22922 has a CVSS score of 6.5 (MEDIUM). Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw where authenticated users with custom permissions limited to task access can view task logs without proper authorization. This affects organizations running vulnerable Airflow instances with custom permission configurations. The vulnerability allows unauthorized access to potentially sensitive log data.

📋 TL;DR

Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw where authenticated users with custom permissions limited to task access can view task logs without proper authorization. This affects organizations running vulnerable Airflow instances with custom permission configurations. The vulnerability allows unauthorized access to potentially sensitive log data.

💻 Affected Systems

Products:

Apache Airflow

Versions: 3.1.0 through 3.1.6

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only affects instances with custom permissions configured; default configurations are not vulnerable.

📦 What is this software?

Airflow by Apache

View all CVEs affecting Airflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker with limited permissions could access sensitive task logs containing credentials, API keys, or other confidential data, leading to data exposure and potential lateral movement.

🟠

Likely Case

Users with legitimate but limited task permissions could inadvertently or intentionally view logs they shouldn't have access to, violating data access policies and potentially exposing operational data.

🟢

If Mitigated

With proper network segmentation and minimal user permissions, impact is limited to unauthorized log viewing within the Airflow instance.

🌐 Internet-Facing: MEDIUM - If Airflow is exposed to the internet, authenticated users could exploit this, but authentication is still required.

🏢 Internal Only: MEDIUM - Internal users with Airflow access could exploit this to view unauthorized logs, potentially exposing sensitive operational data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access and custom permission configurations. The vulnerability is in authorization logic, not authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache Airflow 3.1.7 or later

Vendor Advisory: https://lists.apache.org/thread/gdb7vffhpmrj5hp1j0oj1j13o4vmsq40

Restart Required: Yes

Instructions:

1. Backup your Airflow configuration and database. 2. Upgrade to Airflow 3.1.7 or later using pip: 'pip install --upgrade apache-airflow==3.1.7'. 3. Restart all Airflow services. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Restrict Custom Permissions

all

Temporarily remove or restrict custom permissions that grant task access without proper log authorization checks.

Review and modify Airflow RBAC configurations to ensure task log permissions are properly scoped

Disable Task Log Access

all

Disable task log viewing for all users except administrators until patching can be completed.

Modify Airflow's webserver_config.py to restrict 'can_read' permissions on task logs

🧯 If You Can't Patch

Implement strict network access controls to limit Airflow access to authorized users only
Enable detailed audit logging for all task log access attempts and monitor for unauthorized access patterns

🔍 How to Verify

Check if Vulnerable:

Check Airflow version: if running 3.1.0-3.1.6 with custom permissions configured, the system is vulnerable.

Check Version:

airflow version

Verify Fix Applied:

After upgrading to 3.1.7+, verify that users with custom task permissions cannot access task logs without explicit log permissions.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to task logs in Airflow audit logs
Users with limited permissions accessing task log endpoints

Network Indicators:

HTTP requests to /api/v1/dags/*/dagRuns/*/taskInstances/*/logs from unauthorized users

SIEM Query:

source="airflow" AND (uri_path="/api/v1/dags/*/dagRuns/*/taskInstances/*/logs" OR event="task_log_access") AND user_permissions!="*log*"

📊 Metadata

CVE ID: CVE-2026-22922

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-648

EPSS Score: 0.03% exploit probability (9.1th percentile)

Published: February 9, 2026

Last Updated: February 11, 2026

🔗 References

https://github.com/apache/airflow/pull/60412 Issue Tracking,Patch
https://lists.apache.org/thread/gdb7vffhpmrj5hp1j0oj1j13o4vmsq40 Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/02/09/2 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22922, you might also want to check these: