CVE-2026-40948

UNKNOWN 0.0

Apache Airflow: OAuth Login CSRF — Missing State Parameter in Keycloak Auth Manager

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state` parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's browser and cause the victim to be logged into the attacker's Airflow session (login-CSRF / session fixation), where any credentials the victim subsequently stored in Airflow Connections would be harvestable by the attacker. Users are advised to upgrade `apache-airflow-providers-keycloak` to 0.7.0 or later.

CWE	CWE-352
Vendor	apache software foundation
Product	apache airflow
Published	Apr 18, 2026
Last Updated	Apr 18, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow

Be the first to know when new unknown vulnerabilities affecting apache software foundation apache airflow are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow

0.0.1 < 0.7.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/apache/airflow/pull/64114 lists.apache.org: https://lists.apache.org/thread/kc0odpr70hbqhdb9ksnz42fkqz2xld9q openwall.com: http://www.openwall.com/lists/oss-security/2026/04/17/14

Credits

Haruki Oyama (Waseda University)