Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-2zj7-8yhg-8qen
Vulnerability ID VCID-2zj7-8yhg-8qen
Aliases BIT-airflow-2026-41084
CVE-2026-41084
PYSEC-2026-183
Summary A bug in Apache Airflow's bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances`) evaluated authorization against the `dag_id` resolved from the URL path while operating on the `dag_id` / `dag_run_id` extracted from request-body entity fields. An authenticated UI/API user with edit permission on one Dag could mutate Task Instance state in any other Dag by keeping the authorized Dag's ID in the URL path and naming the target Dag's IDs in the request body entities. Affects deployments that rely on per-Dag edit-scope to keep Task Instance state isolated between teams. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
Status Published
Exploitability 0.5
Weighted Severity 6.8
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-639 Authorization Bypass Through User-Controlled Key
System Score Found at
epss 0.00061 https://api.first.org/data/v1/epss?cve=CVE-2026-41084
cvssv3.1 7.5 https://github.com/apache/airflow/pull/64288
ssvc Track https://github.com/apache/airflow/pull/64288
cvssv3.1 7.5 https://lists.apache.org/thread/w0hdcqfr71hf9rl1bwvpjs7q9yp1bldk
ssvc Track https://lists.apache.org/thread/w0hdcqfr71hf9rl1bwvpjs7q9yp1bldk
cvssv3.1 7.5 http://www.openwall.com/lists/oss-security/2026/05/31/7
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-41084
https://github.com/apache/airflow/pull/64288
https://lists.apache.org/thread/w0hdcqfr71hf9rl1bwvpjs7q9yp1bldk
http://www.openwall.com/lists/oss-security/2026/05/31/7
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/apache/airflow/pull/64288
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-06-02T16:14:40Z/ Found at https://github.com/apache/airflow/pull/64288
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://lists.apache.org/thread/w0hdcqfr71hf9rl1bwvpjs7q9yp1bldk
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-06-02T16:14:40Z/ Found at https://lists.apache.org/thread/w0hdcqfr71hf9rl1bwvpjs7q9yp1bldk
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at http://www.openwall.com/lists/oss-security/2026/05/31/7
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.19345
EPSS Score 0.00061
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:14:42.611386+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2026-183.yaml 38.6.0