Session Fixation Vulnerability in Apache Airflow due to Keycloak Authentication Flaw
CVE-2026-40948

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 18 April 2026

What is CVE-2026-40948?

An authentication issue exists in the Keycloak integration for Apache Airflow, where the system fails to properly generate or validate the OAuth 2.0 state parameter during the login and login-callback process. Additionally, it lacks support for Proof Key for Code Exchange (PKCE). This vulnerability allows an attacker with a Keycloak account in the same realm to manipulate the authentication flow by delivering a malicious callback URL. If a victim unwittingly engages with this link, they could find themselves logged into the attacker's session, leading to potential credential harvesting from their Airflow Connections. It is crucial for users to upgrade to version 0.7.0 or later to mitigate this risk.

Affected Version(s)

Apache Airflow 0.0.1 < 0.7.0

References

https://github.com/apache/airflow/pull/64114

patch

https://lists.apache.org/thread/kc0odpr70hbqhdb9ksnz42fkq...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 18, 2026
Vulnerability Reserved
Apr 16, 2026

Credit

Haruki Oyama (Waseda University)

CVE-2026-40948 Data

JSON