Login Redirect Bypass Vulnerability in Apache Airflow
CVE-2026-40961

7.2HIGH

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-40961?

A vulnerability in the login redirect route of Apache Airflow permits authenticated users to intentionally create URLs that can bypass the is_safe_url security check. This flaw enables redirection from a legitimate Airflow domain to a malicious site controlled by an attacker. To mitigate this risk, users are strongly encouraged to upgrade to Apache Airflow version 3.2.2 or higher. Additionally, it is advisable to deploy Airflow behind a reverse proxy that removes off-domain next= query parameters before the request hits the login endpoint.

Affected Version(s)

Apache Airflow 3.0.0 < 3.2.2

References

https://github.com/apache/airflow/pull/65557

patch

https://lists.apache.org/thread/qmt8ksh7gty6b8hr9w294t94j...

vendor-advisory

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
Apr 16, 2026

Credit

Fushuling@secsys

RacerZ@secsys

Aritra Basu

CVE-2026-40961 Data

JSON