7.5

CVE-2026-28779

EPSS 0.03%
Veröffentlicht 17.03.2026 10:15:59
Zuletzt bearbeitet 17.03.2026 17:42:17
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications

Apache Airflow versions 3.1.0 through 3.1.7 session token (_token) in cookies is set to path=/ regardless of the configured [webserver] base_url or [api] base_url.
This allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request headers, allowing full session takeover without attacking Airflow itself.

Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Airflow Version >= 3.0.0 < 3.1.8

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.083

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

https://github.com/apache/airflow/pull/62771

Patch

Issue Tracking

https://lists.apache.org/thread/r4n5znb8mcq14wo9v8ndml36nxlksdqb

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2026/03/17/3

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2026-28779

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-28779

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-28779

EUVD