CVE-2026-25604
Received Received - Intake
SAML Origin Spoofing in AWS Auth Manager Enables Unauthorized Access

Publication date: 2026-03-09

Last updated on: 2026-03-10

Assigner: Apache Software Foundation

Description
In AWS Auth manager, the origin of the SAML authentication has been used as provided by the client and not verified against the actual instance URL.Β  This allowed to gain access to different instances with potentially different access controls by reusing SAML response from other instances. You should upgrade to 9.22.0 version of provider if you use AWS Auth Manager.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-09
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25604
EUVD
EUVD-2026-10318
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache airflow_providers_amazon From 8.0.0 (inc) to 9.22.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "The vulnerability in CVE-2026-25604 involves the AWS Auth manager in Apache Airflow insecurely handling the origin of SAML authentication. Specifically, it used the 'host' parameter provided by the client in incoming requests without verifying it against the actual instance URL. This allowed attackers to reuse a SAML response from one instance to gain unauthorized access to different instances that might have different access controls."}, {'type': 'paragraph', 'content': "The issue was fixed by changing the system to use the 'host' value from the trusted configuration rather than from the client request, preventing host header manipulation attacks."}] [1]

Impact Analysis

This vulnerability can allow an attacker to gain unauthorized access to multiple Apache Airflow instances by reusing a valid SAML authentication response from one instance on others. This could lead to exposure of sensitive data, unauthorized actions, and potential compromise of workflows or systems managed by those Airflow instances.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves insecure handling of the `host` parameter in the AWS authentication manager, where the host value is taken directly from incoming requests instead of a trusted configuration.

To detect this vulnerability on your system, you can check if your AWS Auth Manager implementation uses the host value from incoming requests rather than from a fixed configuration.

While no specific commands are provided, you can audit your Apache Airflow AWS Auth Manager code or configuration for usage of the `host` parameter sourced from request headers.

Additionally, monitoring network traffic for unusual reuse of SAML responses across different instances could indicate exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade your Apache Airflow AWS Auth Manager to version 9.22.0 or later, where the vulnerability has been fixed.

This update changes the AWS authentication manager to use the host value from a trusted configuration instead of the incoming request, preventing host header manipulation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25604. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart