6.5

CVE-2026-22922

Apache Airflow: Airflow externalLogUrl Permission Bypass

Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log access. 

Users are recommended to upgrade to Apache Airflow 3.1.7 or later, which resolves this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheAirflow Version >= 3.1.0 < 3.1.7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.38% 0.298
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE-648 Incorrect Use of Privileged APIs

The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.

https://github.com/apache/airflow/pull/60412
Patch
Issue Tracking
https://lists.apache.org/thread/gdb7vffhpmrj5hp1j0oj1j13o4vmsq40
Vendor Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2026/02/09/2
Third Party Advisory
Mailing List