CVE-2026-25604
SAML Origin Spoofing in AWS Auth Manager Enables Unauthorized Access
Publication date: 2026-03-09
Last updated on: 2026-03-10
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | airflow_providers_amazon | From 8.0.0 (inc) to 9.22.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "The vulnerability in CVE-2026-25604 involves the AWS Auth manager in Apache Airflow insecurely handling the origin of SAML authentication. Specifically, it used the 'host' parameter provided by the client in incoming requests without verifying it against the actual instance URL. This allowed attackers to reuse a SAML response from one instance to gain unauthorized access to different instances that might have different access controls."}, {'type': 'paragraph', 'content': "The issue was fixed by changing the system to use the 'host' value from the trusted configuration rather than from the client request, preventing host header manipulation attacks."}] [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to gain unauthorized access to multiple Apache Airflow instances by reusing a valid SAML authentication response from one instance on others. This could lead to exposure of sensitive data, unauthorized actions, and potential compromise of workflows or systems managed by those Airflow instances.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves insecure handling of the `host` parameter in the AWS authentication manager, where the host value is taken directly from incoming requests instead of a trusted configuration.
To detect this vulnerability on your system, you can check if your AWS Auth Manager implementation uses the host value from incoming requests rather than from a fixed configuration.
While no specific commands are provided, you can audit your Apache Airflow AWS Auth Manager code or configuration for usage of the `host` parameter sourced from request headers.
Additionally, monitoring network traffic for unusual reuse of SAML responses across different instances could indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade your Apache Airflow AWS Auth Manager to version 9.22.0 or later, where the vulnerability has been fixed.
This update changes the AWS authentication manager to use the host value from a trusted configuration instead of the incoming request, preventing host header manipulation.