GHSA-mxq5-f9c5-w4p5
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
6Blast Radius
ecosystem impact- 10 pypi packages depend on apache-airflow (1 direct, 9 indirect)
Ecosystem-wide dependent count for version 3.2.0.
Description PRE-NVD
AnalysisAI
API authorization bypass in Apache Airflow 3.2.0 through versions before 3.2.2 allows authenticated users with access to one DAG to mutate TaskInstances belonging to other DAGs they should not control, via the bulk TaskInstances PUT/DELETE endpoints. The flaw stems from the bulk handler omitting per-DAG authorization checks, enabling cross-DAG state tampering with high integrity impact (CVSS 7.5, vector AV:N/AC:L/PR:N/UI:N/I:H). No public exploit identified at time of analysis and EPSS probability is low at 0.01%.
Technical ContextAI
Apache Airflow is a Python-based workflow orchestration platform whose REST API exposes bulk TaskInstance update/delete endpoints under the FastAPI core_api service (airflow-core/src/airflow/api_fastapi/core_api/services/public/task_instances.py). The vulnerability is a CWE-639 Authorization Bypass Through User-Controlled Key: the bulk handler iterates entities supplied in the request body and dispatches PUT/DELETE operations without invoking the auth manager's is_authorized_dag() check for each target dag_id. The upstream fix (PR #64288) introduces a dag_authorization_cache and calls get_auth_manager().is_authorized_dag(method=..., access_entity=DagAccessEntity.TASK_INSTANCE, details=DagDetails(id=dag_id, team_name=...)) per DAG, returning HTTP 403 for unauthorized DAGs while still processing authorized ones.
RemediationAI
Upgrade to Apache Airflow 3.2.2 or later, which incorporates the per-DAG authorization check from PR https://github.com/apache/airflow/pull/64288. Until upgrade is possible, restrict access to the bulk TaskInstance API endpoints (PUT/DELETE on /api/v2/...//taskInstances bulk routes) at the reverse-proxy or ingress layer to only trusted operator accounts - note this will break legitimate multi-team automations that rely on bulk operations. As an additional compensating control, audit Airflow API logs for bulk task_instance mutations referencing dag_ids the requesting user does not own, and consider temporarily disabling the simple auth manager in favor of an auth manager that scopes API tokens to specific DAG sets. Consult the Apache advisory at https://lists.apache.org/thread/w0hdcqfr71hf9rl1bwvpjs7q9yp1bldk for vendor-specific guidance.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33592