5.4

CVE-2026-40948

Medienbericht

Apache Airflow Providers Keycloak: OAuth Login CSRF — Missing State Parameter in Keycloak Auth Manager

The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state` parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's browser and cause the victim to be logged into the attacker's Airflow session (login-CSRF / session fixation), where any credentials the victim subsequently stored in Airflow Connections would be harvestable by the attacker. Users are advised to upgrade `apache-airflow-providers-keycloak` to 0.7.0 or later.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheApache-airflow-providers-keycloak Version >= 0.0.1 < 0.7.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.33% 0.244
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.4 2.8 2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
22.04.2026 14:48
https://github.com/apache/airflow/pull/64114
Patch
Issue Tracking
https://lists.apache.org/thread/kc0odpr70hbqhdb9ksnz42fkqz2xld9q
Vendor Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2026/04/17/14
Third Party Advisory
Mailing List