Skip to content
snailsploit[$]
CVE Disclosure · Apache Foundation

CVE-2026-30911

Apache Airflow Core

Missing authentication

CVSS8.1
SeverityHigh
ClassMissing authentication
TrackApache Foundation

Summary

CVE-2026-30911 is a high-severity vulnerability (CVSS 8.1) affecting Apache Airflow Core. The issue is classified as Missing authentication, part of the Apache Foundation disclosure track on this site.

References

Authoritative sources and PoC material:

NVDMITREPoC repoVendor

Disclosure

Reporter
Kai Aizen (snailsploit)
Coordination
Vendor + MITRE/NVD
Status
Disclosed · CVE assigned · entry public on NVD
Track
Apache Foundation

About this writeup

Detailed exploitation analysis, root-cause walkthrough, and remediation guidance for this finding live in the PoC repository. For broader methodology see services and research.

disclosure contextall 74 cves →
all disclosures
CVE Ledger →
74 published CVEs across container, web, OSS, kernel
advisories
GHSA disclosures →
coordinated security advisories
engage
Pen Testing →
same methodology, your stack
Author
Kai Aizen
Independent Adversarial · Research group. 74 published CVEs, 5 Linux kernel mainline patches, creator of AATMF / P.R.O.M.P.T / SEF, author of Adversarial Minds.
aboutservicesresearchgate
Quick facts
ID
CVE-2026-30911
Product
Apache Airflow
Severity
8.1 · High
Class
CWE-306
Affected: Apache Airflow core, versions prior to the patched release
References: NVD · MITRE · Vendor advisory
Frequently asked

CVE-2026-30911 — questions & answers

What is CVE-2026-30911?

CVE-2026-30911 is a missing-authentication vulnerability in Apache Airflow Core. An internal REST endpoint accepts requests without enforcing the configured auth backend, allowing unauthenticated principals to read metadata that should be behind the auth boundary.

Am I affected by CVE-2026-30911?

You are affected if you run Apache Airflow at a version below the patched release and your Airflow webserver / API is reachable from any network the attacker can touch (including internal networks behind shared VPNs).

How do I fix CVE-2026-30911?

Upgrade Apache Airflow Core to the patched version called out in the official Airflow announcement. As a defence-in-depth measure, ensure the Airflow webserver is fronted by an authenticating reverse proxy and that the network reachability of the endpoint matches your trust boundary.

What is the impact of CVE-2026-30911?

Information disclosure that can be escalated, in some deployments, to workflow enumeration and downstream credential exposure. CVSS 8.1 High.

Where can I find authoritative references?

NVD at https://nvd.nist.gov/vuln/detail/CVE-2026-30911, MITRE CVE record, and the Apache Airflow security announcements page.