Executive Summary

[{'type': 'paragraph', 'content': 'This vulnerability affects Apache Airflow versions 3.1.0 through 3.1.7 where the session token cookie (_token) is always set with the path attribute as root ("/") regardless of the configured base URL for the webserver or API.'}, {'type': 'paragraph', 'content': 'Because the cookie path is set to root, any other application hosted under the same domain can receive this session token cookie, allowing those applications to capture valid Airflow session tokens.'}, {'type': 'paragraph', 'content': 'This exposure enables an attacker to take over Airflow sessions without directly attacking Airflow itself.'}] [2]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows any application co-hosted on the same domain to access Airflow session tokens, which can lead to full session takeover.

An attacker or malicious application could impersonate legitimate Airflow users by using stolen session tokens, potentially gaining unauthorized access to sensitive workflows, data, or administrative functions within Airflow.

This risk is especially significant in environments where multiple applications share the same domain but operate independently.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by verifying the path attribute of the Airflow session token cookie (_token) in your web browser or HTTP requests. If the _token cookie path is set to "/" regardless of the configured base_url, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'One way to check this is by using browser developer tools to inspect the cookies when accessing Airflow. Look for the _token cookie and verify its path attribute.'}, {'type': 'paragraph', 'content': 'Alternatively, you can use command-line tools like curl to inspect the Set-Cookie header from the Airflow webserver response. For example:'}, {'type': 'list_item', 'content': 'curl -I http://your-airflow-domain/path | grep Set-Cookie'}, {'type': 'paragraph', 'content': 'Check if the _token cookie\'s path is set to "/" instead of the Airflow base_url path. If it is always "/", the vulnerability exists.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade Apache Airflow to version 3.1.8 or later, where the issue has been fixed.

This update changes the _token cookie path to match the configured base_url, preventing session tokens from being accessible to other applications on the same domain.

Until the upgrade can be applied, consider isolating Airflow on a dedicated domain or subdomain to reduce the risk of session token leakage.

Useful 0 Not Useful 0