CVE-2026-28779
Session Token Path Misconfiguration in Apache Airflow Enables Session Hijacking
Publication date: 2026-03-17
Last updated on: 2026-03-17
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | airflow | From 3.0.0 (inc) to 3.1.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-668 | The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'This vulnerability affects Apache Airflow versions 3.1.0 through 3.1.7 where the session token cookie (_token) is always set with the path attribute as root ("/") regardless of the configured base URL for the webserver or API.'}, {'type': 'paragraph', 'content': 'Because the cookie path is set to root, any other application hosted under the same domain can receive this session token cookie, allowing those applications to capture valid Airflow session tokens.'}, {'type': 'paragraph', 'content': 'This exposure enables an attacker to take over Airflow sessions without directly attacking Airflow itself.'}] [2]
How can this vulnerability impact me? :
The vulnerability allows any application co-hosted on the same domain to access Airflow session tokens, which can lead to full session takeover.
An attacker or malicious application could impersonate legitimate Airflow users by using stolen session tokens, potentially gaining unauthorized access to sensitive workflows, data, or administrative functions within Airflow.
This risk is especially significant in environments where multiple applications share the same domain but operate independently.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by verifying the path attribute of the Airflow session token cookie (_token) in your web browser or HTTP requests. If the _token cookie path is set to "/" regardless of the configured base_url, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'One way to check this is by using browser developer tools to inspect the cookies when accessing Airflow. Look for the _token cookie and verify its path attribute.'}, {'type': 'paragraph', 'content': 'Alternatively, you can use command-line tools like curl to inspect the Set-Cookie header from the Airflow webserver response. For example:'}, {'type': 'list_item', 'content': 'curl -I http://your-airflow-domain/path | grep Set-Cookie'}, {'type': 'paragraph', 'content': 'Check if the _token cookie\'s path is set to "/" instead of the Airflow base_url path. If it is always "/", the vulnerability exists.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate step to mitigate this vulnerability is to upgrade Apache Airflow to version 3.1.8 or later, where the issue has been fixed.
This update changes the _token cookie path to match the configured base_url, preventing session tokens from being accessible to other applications on the same domain.
Until the upgrade can be applied, consider isolating Airflow on a dedicated domain or subdomain to reduce the risk of session token leakage.