CVE-2026-40948
Login-CSRF in Apache Airflow Keycloak Provider Enables Session Fixation
Publication date: 2026-04-18
Last updated on: 2026-04-20
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | apache-airflow-providers-keycloak | From 0.7.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Keycloak authentication manager within the apache-airflow-providers-keycloak package. It fails to generate or validate the OAuth 2.0 'state' parameter during the login and login-callback process and does not implement PKCE (Proof Key for Code Exchange).
Because of this, an attacker who has a Keycloak account in the same realm can craft a malicious callback URL and trick a victim into using it. This causes the victim to be logged into the attacker's Airflow session (a login-CSRF or session fixation attack).
As a result, any credentials the victim stores in Airflow Connections after this can be accessed and harvested by the attacker.
Users are advised to upgrade apache-airflow-providers-keycloak to version 0.7.0 or later to fix this issue.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to hijack a victim's Airflow session by tricking them into logging into the attacker's session.
Once the attacker controls the session, they can access any credentials the victim stores in Airflow Connections, potentially exposing sensitive information such as database passwords, API keys, or other secrets.
This can lead to unauthorized access to systems and data, compromising the security and integrity of your environment.
What immediate steps should I take to mitigate this vulnerability?
Users are advised to upgrade apache-airflow-providers-keycloak to version 0.7.0 or later to mitigate this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to perform login-CSRF and session fixation attacks, potentially leading to unauthorized access to user credentials stored in Airflow Connections.
Such unauthorized access and credential harvesting could result in violations of data protection and privacy regulations like GDPR and HIPAA, which require strict controls over user authentication and protection of sensitive information.
Therefore, the vulnerability could negatively impact compliance with these standards by exposing sensitive credentials and failing to ensure secure authentication flows.