CVE-2026-22922

EPSS 0.04%
Veröffentlicht 09.02.2026 10:33:49
Zuletzt bearbeitet 11.02.2026 18:30:44
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache Airflow: Airflow externalLogUrl Permission Bypass

Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log access. 

Users are recommended to upgrade to Apache Airflow 3.1.7 or later, which resolves this issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Airflow Version >= 3.1.0 < 3.1.7

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.109

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-648 Incorrect Use of Privileged APIs

The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.

https://github.com/apache/airflow/pull/60412

Patch

Issue Tracking

https://lists.apache.org/thread/gdb7vffhpmrj5hp1j0oj1j13o4vmsq40

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2026/02/09/2

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2026-22922

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-22922

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-22922

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-22922