CVE-2026-22922

MEDIUM EPSS 30.0%
Published Feb 9, 20264mo ago · Modified Feb 11, 20264mo ago
6.5 CVSS 3.1
Medium
Find Similar
Published Feb 9, 2026 4mo ago
Last Modified Feb 11, 2026 4mo ago

Description

Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log access. Users are recommended to upgrade to Apache Airflow 3.1.7 or later, which resolves this issue.

CVSS Details

Base Score
6.5
Exploitability
2.8
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
30.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-648

Affected Products 1

VendorProductVersionRange
apacheairflow*≥3.1.0  –  <3.1.7

References 3

  • openwall.com http://www.openwall.com/lists/oss-security/2026/02/09/2
    Mailing ListThird Party Advisory
  • github.com https://github.com/apache/airflow/pull/60412
    Issue TrackingPatch
  • lists.apache.org https://lists.apache.org/thread/gdb7vffhpmrj5hp1j0oj1j13o4vmsq40
    Mailing ListVendor Advisory

Remediation

  • github.com https://github.com/apache/airflow/pull/60412
    Issue TrackingPatch