CVE-2026-40961

HIGH 7.2

Apache Airflow: Open Redirect Bypass Vulnerability

CVSS Score

7.2

EPSS Score

0.0%

EPSS Percentile

4th

A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that bypassed the `is_safe_url` check, enabling redirection from a trusted Airflow domain to an attacker-controlled origin. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deployment operators can place Airflow behind a reverse proxy that strips off-domain `next=` query parameters before they reach the login endpoint.

CWE	CWE-601
Vendor	apache software foundation
Product	apache airflow
Published	Jun 1, 2026
Last Updated	Jun 2, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow

Be the first to know when new high vulnerabilities affecting apache software foundation apache airflow are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow

3.0.0 < 3.2.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/apache/airflow/pull/65557 lists.apache.org: https://lists.apache.org/thread/qmt8ksh7gty6b8hr9w294t94j36jdv1q openwall.com: http://www.openwall.com/lists/oss-security/2026/05/31/2

Credits

Fushuling@secsys RacerZ@secsys Aritra Basu