Security Flaw in Apache Airflow Related to JWT Auth Cookie Maintenance
CVE-2026-41017

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-41017?

The JWTRefreshMiddleware in Apache Airflow has a flaw where it sets the JWT authentication cookie without the 'Secure' flag. This weakens the session integrity, particularly for setups where the Airflow API server operates behind an HTTPS-terminating reverse proxy (like nginx or Envoy). Attackers positioned on the network could exploit this flaw by inducing a logged-in user's browser to make an HTTP request. This would allow them to capture the JWT cookie from the request, subsequently leading to unauthorized access to the API. Organizations using affected versions are encouraged to upgrade to Apache Airflow 3.2.2 or later to mitigate this risk.

Affected Version(s)

Apache Airflow 3.0.0 < 3.2.2

References

https://github.com/apache/airflow/pull/65348

patch

https://lists.apache.org/thread/9jx0sk49c1250zflx0q3clc71...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
Apr 16, 2026

Credit

Ran (@eddieran)

Jarek Potiuk

CVE-2026-41017 Data

JSON