CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-41084

highCVSS 7.5covered by 1 sourcefirst seen 2026-06-01
A bug in Apache Airflow's bulk Task Instances API (PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances) evaluated authorization against the dag_id resolved from the URL path while operating on the dag_id / dag_run_id extracted from request-body entity fields. An authenticated UI/API user with edit permission on one Dag could mutate Task Instance state in any other Dag by keeping the authorized Dag's ID in the URL path and naming the target Dag's IDs in the request body entities. Affects deployments that rely on per-Dag edit-scope to keep Task Instance state isolated between teams. Users are advised to upgrade to apache-airflow 3.2.2 or later.

⚡ Watch CVE-2026-41084

Get an email if CVE-2026-41084 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-41084

CVE.org record

Embed the live status

CVE-2026-41084 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-41084 status](https://www.csirts.com/badge/CVE-2026-41084)](https://www.csirts.com/cve/CVE-2026-41084)