{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40948", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-04-16T00:13:13.957Z", "datePublished": "2026-04-18T13:22:41.577Z", "dateUpdated": "2026-04-18T13:30:35.729Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://pypi.python.org", "defaultStatus": "unaffected", "packageName": "apache-airflow", "product": "Apache Airflow", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "0.7.0", "status": "affected", "version": "0.0.1", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Haruki Oyama (Waseda University)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state` parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's browser and cause the victim to be logged into the attacker's Airflow session (login-CSRF / session fixation), where any credentials the victim subsequently stored in Airflow Connections would be harvestable by the attacker. Users are advised to upgrade `apache-airflow-providers-keycloak` to 0.7.0 or later."}], "value": "The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state` parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's browser and cause the victim to be logged into the attacker's Airflow session (login-CSRF / session fixation), where any credentials the victim subsequently stored in Airflow Connections would be harvestable by the attacker. Users are advised to upgrade `apache-airflow-providers-keycloak` to 0.7.0 or later."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-18T13:22:41.577Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/apache/airflow/pull/64114"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/kc0odpr70hbqhdb9ksnz42fkqz2xld9q"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Airflow: OAuth Login CSRF \u2014 Missing State Parameter in Keycloak Auth Manager", "x_generator": {"engine": "airflow-s/generate_cve_json.py"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/17/14"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-18T13:30:35.729Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state` parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's browser and cause the victim to be logged into the attacker's Airflow session (login-CSRF / session fixation), where any credentials the victim subsequently stored in Airflow Connections would be harvestable by the attacker. Users are advised to upgrade `apache-airflow-providers-keycloak` to 0.7.0 or later."}], "id": "CVE-2026-40948", "lastModified": "2026-04-18T14:16:10.897", "metrics": {}, "published": "2026-04-18T14:16:10.897", "references": [{"source": "security@apache.org", "url": "https://github.com/apache/airflow/pull/64114"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread/kc0odpr70hbqhdb9ksnz42fkqz2xld9q"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/17/14"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@apache.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.1,0.7.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache Airflow", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "airflow", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-18T16:59:23.010113+00:00", "value": {"mitigation_remediation": ["Upgrade apache-airflow-providers-keycloak to 0.7.0 or later", "Verify that OAuth 2.0 state validation is enabled in your Airflow configuration", "Restrict or monitor Keycloak realm access to prevent attackers from creating accounts in the same realm"], "summary": {"action": "Patch", "impact": "Session hijacking via login-CSRF"}, "threat_synthesis": {"affected_systems": "Apache Airflow installations that use the apache-airflow-providers-keycloak package prior to version 0.7.0 are impacted. The flaw exists in the OAuth handling component of the provider, so any deployment that relies on Keycloak for authentication and has not upgraded to the patched provider is vulnerable.", "description_and_impact": "The Keycloak authentication manager in apache-airflow-providers-keycloak failed to generate or validate the OAuth 2.0 state parameter and did not implement PKCE. During the login and login-callback flow a crafted callback URL can be sent to a victim\u2019s browser, causing the victim to be authenticated into the attacker\u2019s Airflow session. Any credentials the victim subsequently stores in Airflow Connections could then be harvested, effectively allowing credential theft without the victim\u2019s knowledge.", "risk_and_exploitability": "The vulnerability represents a classic cross\u2011site request forgery that results in session fixation. No CVSS score is present in the CVE data and the EPSS score is unavailable; the flaw is not listed in CISA KEV. Attackers with an account in the same Keycloak realm can deliver a malicious callback URL to a victim\u2019s browser, and the lack of a state parameter and PKCE simplifies the exploitation. The risk is primarily that an attacker can impersonate a victim and obtain their Airflow credentials. The likelihood of exploitation is unknown, but the impact is that any stored Airflow credentials could be compromised."}}}}, "created": "2026-04-18T15:30:03.823311+00:00", "updated": "2026-04-18T17:00:05.555359+00:00", "vendors": ["apache", "apache$PRODUCT$airflow"]}