Apache Airflow 3.1.03.1.6 Auth Flaw: Task Logs Exposed
CVE-2026-22922 Published on February 9, 2026

Apache Airflow: Airflow externalLogUrl Permission Bypass
Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log access. Users are recommended to upgrade to Apache Airflow 3.1.7 or later, which resolves this issue.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-22922 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

Incorrect Use of Privileged APIs

The application does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.


Products Associated with CVE-2026-22922

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-22922 are published in Apache AirFlow:

Apache AirFlow
 

Affected Versions

Apache Software Foundation Apache Airflow:

Exploit Probability

EPSS
0.04%
Percentile
10.93%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.