CVE-2026-41084 Overview
CVE-2026-41084 is a broken access control flaw in Apache Airflow's bulk Task Instances API. The endpoints PATCH /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances and the corresponding DELETE route evaluate authorization against the dag_id value in the URL path. However, the underlying operation acts on the dag_id and dag_run_id supplied inside the request body. An authenticated user holding edit permission on any single Dag can therefore mutate Task Instance state in any other Dag by referencing the target Dag in body entities. The flaw maps to CWE-639: Authorization Bypass Through User-Controlled Key.
Critical Impact
Any authenticated user with edit rights on one Dag can alter Task Instance state across all other Dags, breaking per-team isolation in shared Airflow deployments.
Affected Products
- Apache Airflow versions prior to 3.2.2
- Apache Airflow deployments using per-Dag edit-scope authorization
- Multi-tenant Airflow environments with shared API/UI access
Discovery Timeline
- 2026-06-01 - CVE-2026-41084 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-41084
Vulnerability Analysis
Apache Airflow exposes a bulk Task Instances endpoint that accepts a list of entities in the request body, where each entity identifies a dag_id, dag_run_id, and target task. The authorization layer reads the dag_id value from the URL path and verifies the caller has edit permission on that Dag. The handler then iterates the body entities and applies state mutations against the dag_id values they specify. The two identifiers are never required to match. The authorization decision is therefore disconnected from the resource the operation actually touches.
The consequence is a horizontal privilege escalation across Dags. A user with can_edit on Dag team-a-pipeline can craft a PATCH or DELETE request whose URL targets team-a-pipeline but whose body references task instances in team-b-pipeline. The integrity impact is high while confidentiality and availability are not directly affected, because the bug enables state mutation rather than data exfiltration.
Root Cause
The root cause is inconsistent identifier resolution between the authorization check and the data layer. The permission filter trusts the path parameter, while the bulk operation trusts body parameters. When the same identifier appears in two locations, the API must either reject mismatches or re-authorize each entity against its own dag_id. Airflow versions prior to 3.2.2 did neither.
Attack Vector
Exploitation requires only an authenticated session with edit permission on at least one Dag. The attacker issues a PATCH or DELETE request to /api/v2/dags/{authorized_dag_id}/dagRuns/{any_run_id}/taskInstances. The body contains entities whose dag_id and dag_run_id reference the victim Dag and run. The server authorizes the request against the path-level Dag, then mutates Task Instance state in the body-referenced Dag. Attackers can mark tasks as success, failed, or skipped, or delete task instances entirely, disrupting downstream pipelines and data integrity.
No exploit code is publicly available. Refer to the Apache Airflow pull request 64288 for the authoritative fix details.
Detection Methods for CVE-2026-41084
Indicators of Compromise
- API requests to PATCH or DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances where body entity dag_id values do not match the URL path dag_id.
- Unexpected Task Instance state transitions in Airflow audit logs that do not correlate with scheduled runs or user-initiated UI actions on the owning Dag.
- Authenticated users issuing bulk Task Instance mutations against Dags outside their team's normal scope.
Detection Strategies
- Parse Airflow webserver access logs and compare the path dag_id to body-level dag_id fields on bulk Task Instance endpoints. Flag mismatches.
- Correlate Airflow audit events (set_task_instance_state, delete_task_instance) with the requesting user's RBAC permissions. Alert when the user lacks edit on the affected Dag.
- Baseline each user's normal Dag interaction set and surface deviations involving Task Instance mutations.
Monitoring Recommendations
- Enable verbose API audit logging in Airflow and forward to a SIEM for correlation.
- Track Task Instance state changes per Dag and alert on anomalous bulk operations outside scheduled windows.
- Monitor authentication and session events to identify compromised accounts that may be abusing the bulk API.
How to Mitigate CVE-2026-41084
Immediate Actions Required
- Upgrade apache-airflow to version 3.2.2 or later across all webserver, scheduler, and worker nodes.
- Audit recent Task Instance state changes and deletions for evidence of cross-Dag tampering.
- Review RBAC assignments and remove unnecessary Dag edit permissions to reduce the eligible attacker population.
Patch Information
The fix is delivered in apache-airflow 3.2.2. The change re-authorizes each body entity against its own dag_id rather than trusting the URL path alone. See the upstream GitHub pull request 64288 and the Apache Airflow mailing list announcement for full details.
Workarounds
- Restrict network access to the Airflow API and UI to trusted operators until the upgrade is applied.
- Place a reverse proxy or API gateway in front of Airflow that rejects requests where body dag_id values do not match the path dag_id on bulk Task Instance routes.
- Temporarily remove edit permissions from non-administrative users on multi-tenant deployments.
# Upgrade Apache Airflow to the patched release
pip install --upgrade "apache-airflow==3.2.2"
# Verify the installed version
airflow version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
