Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN310 _____________________________________________________________________ DATE : 18/03/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Airflow versions prior to 3.1.8. ===================================================================== https://lists.apache.org/thread/r4n5znb8mcq14wo9v8ndml36nxlksdqb https://lists.apache.org/thread/1rs2v7fcko2otl6n9ytthcj87cmsgx51 https://lists.apache.org/thread/dwzf62qg9z8wvfsjknpfd8bvtwghd49s https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss _____________________________________________________________________ CVE-2026-28779: Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications Severity: Medium Affected versions: - Apache Airflow (apache-airflow) 3.0.0 before 3.1.8 Description: Apache Airflow versions 3.1.0 through 3.1.7 session token (_token) in cookies is set to path=/ regardless of the configured [webserver] base_url or [api] base_url. This allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request headers, allowing full session takeover without attacking Airflow itself. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue. Credit: Daniel Wolf (finder) Daniel Wolf (remediation developer) References: https://github.com/apache/airflow/pull/62771 https://airflow.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-28779 _____________________________________________________________________ CVE-2026-30911: Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization Severity: low Affected versions: - Apache Airflow (apache-airflow) 3.1.0 before 3.1.8 Description: Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue. Credit: Kai Aizen (finder) Aritra Basu (remediation developer) References: https://github.com/apache/airflow/pull/62886 https://airflow.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-30911 _____________________________________________________________________ CVE-2026-28563: Apache Airflow: DAG authorization bypass Severity: low Affected versions: - Apache Airflow (apache-airflow) 3.0.0 before 3.1.8 Description: Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue. Credit: Masamune - Unit515 OPSWAT (finder) Shubham Raj (remediation developer) References: https://github.com/apache/airflow/pull/62046 https://airflow.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-28563 _____________________________________________________________________ CVE-2026-26929: Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata Severity: low Affected versions: - Apache Airflow (apache-airflow) 3.0.0 before 3.1.8 Description: Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to "~" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue. Credit: Pierre Jeambrun (remediation developer) References: https://github.com/apache/airflow/pull/61675 https://airflow.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-26929 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================