CVE-2026-41017
JWT Cookie Missing Secure Flag in Apache Airflow
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | apache_airflow | 3.2.2 |
| apache | airflow | From 3.2.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-614 | The Secure attribute for sensitive cookies in HTTPS sessions is not set. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Apache Airflow involves the JWTRefreshMiddleware setting the JWT authentication cookie without the Secure flag in certain deployment scenarios. Specifically, when the Airflow API server is behind an HTTPS-terminating reverse proxy (such as nginx, Envoy, or a managed load balancer that handles TLS termination and forwards plaintext HTTP to the API server), the Secure flag is not set on the cookie. This means the JWT cookie can be sent over unencrypted HTTP requests.
Because the Secure flag is missing, a network attacker positioned on the same network (for example, on a Wi-Fi network, a hostile LAN, or a captive-portal proxy) could trick a logged-in user's browser into sending an HTTP request to the Airflow deployment. The attacker could then capture the JWT cookie from that request and replay it to gain unauthorized access to the authenticated API.
The root cause is that the middleware only set the Secure flag based on the presence of a local SSL certificate, not considering that TLS might be terminated upstream by a reverse proxy. The fix aligns the Secure flag setting with other parts of the codebase by setting it if the incoming request is HTTPS or if a local SSL certificate is configured.
How can this vulnerability impact me? :
This vulnerability can lead to session hijacking where an attacker on the same network can capture and replay a user's JWT authentication cookie. This allows the attacker to impersonate the user and access the Airflow API with the same privileges.
The impact is especially significant in deployments where the Airflow API server is behind a TLS-terminating reverse proxy and relies on the Secure flag to protect session integrity. Without the Secure flag, the JWT cookie can be exposed over unencrypted HTTP traffic, increasing the risk of unauthorized access.
Users are advised to upgrade to apache-airflow version 3.2.2 or later to mitigate this issue.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the JWT authentication cookie set by the Apache Airflow API server lacks the Secure flag when accessed through an HTTPS-terminating reverse proxy.
One way to detect this is to inspect the cookies sent by the Airflow API server in HTTP responses and verify whether the Secure attribute is missing.
For example, you can use the following command to capture and inspect HTTP headers including cookies:
- Using curl to inspect cookies: curl -I --cookie-jar cookies.txt https://your-airflow-api-server/
- Using a network packet capture tool like tcpdump or Wireshark to monitor HTTP traffic for cookies without the Secure flag.
- Using browser developer tools to inspect cookies set by the Airflow API server and check if the Secure flag is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate recommended mitigation is to upgrade Apache Airflow to version 3.2.2 or later, where the issue with the Secure flag on the JWT refresh cookie has been fixed.
This fix ensures that the Secure flag is correctly set on the JWT cookie when the API server is behind an HTTPS-terminating reverse proxy, preventing the cookie from being sent over cleartext HTTP.
Until the upgrade can be applied, ensure that your deployment does not allow HTTP access to the Airflow API server and that all traffic is strictly HTTPS to reduce the risk of cookie interception.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Apache Airflow's JWTRefreshMiddleware involves the JWT auth cookie being set without the Secure flag in deployments where TLS is terminated at a reverse proxy. This allows an attacker positioned on the network to capture and replay the JWT cookie over cleartext HTTP requests, potentially leading to unauthorized access to user sessions.
Such unauthorized access and session hijacking risks can impact compliance with common security standards and regulations like GDPR and HIPAA, which require protection of user data and secure handling of authentication credentials to prevent unauthorized disclosure or access.
Therefore, deployments affected by this vulnerability may face increased risk of non-compliance due to insufficient protection of authentication tokens in transit, especially in environments where session integrity relies on the Secure flag for cookies.
Users are advised to upgrade to Apache Airflow version 3.2.2 or later, where the Secure flag is correctly set on the JWT cookie, mitigating this risk and helping maintain compliance with security requirements.