CVE-2026-40948
Analyzed Analyzed - Analysis Complete
Login-CSRF in Apache Airflow Keycloak Provider Enables Session Fixation

Publication date: 2026-04-18

Last updated on: 2026-05-11

Assigner: Apache Software Foundation

Description
The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state` parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's browser and cause the victim to be logged into the attacker's Airflow session (login-CSRF / session fixation), where any credentials the victim subsequently stored in Airflow Connections would be harvestable by the attacker. Users are advised to upgrade `apache-airflow-providers-keycloak` to 0.7.0 or later.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-18
Last Modified
2026-05-11
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40948
EUVD
EUVD-2026-23676
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache apache-airflow-providers-keycloak From 0.0.1 (inc) to 0.7.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Keycloak authentication manager within the apache-airflow-providers-keycloak package. It fails to generate or validate the OAuth 2.0 'state' parameter during the login and login-callback process and does not implement PKCE (Proof Key for Code Exchange).

Because of this, an attacker who has a Keycloak account in the same realm can craft a malicious callback URL and trick a victim into using it. This causes the victim to be logged into the attacker's Airflow session (a login-CSRF or session fixation attack).

As a result, any credentials the victim stores in Airflow Connections after this can be accessed and harvested by the attacker.

Users are advised to upgrade apache-airflow-providers-keycloak to version 0.7.0 or later to fix this issue.

Impact Analysis

This vulnerability can allow an attacker to hijack a victim's Airflow session by tricking them into logging into the attacker's session.

Once the attacker controls the session, they can access any credentials the victim stores in Airflow Connections, potentially exposing sensitive information such as database passwords, API keys, or other secrets.

This can lead to unauthorized access to systems and data, compromising the security and integrity of your environment.

Mitigation Strategies

Users are advised to upgrade apache-airflow-providers-keycloak to version 0.7.0 or later to mitigate this vulnerability.

Compliance Impact

This vulnerability allows an attacker to perform login-CSRF and session fixation attacks, potentially leading to unauthorized access to user credentials stored in Airflow Connections.

Such unauthorized access and credential harvesting could result in violations of data protection and privacy regulations like GDPR and HIPAA, which require strict controls over user authentication and protection of sensitive information.

Therefore, the vulnerability could negatively impact compliance with these standards by exposing sensitive credentials and failing to ensure secure authentication flows.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40948. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart