References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Known Affected Software Configurations Switch to CPE 2.2

Change History

OR
          *cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:* versions from (including) 3.0.0 up to (excluding) 3.1.8

Apache Software Foundation: https://github.com/apache/airflow/pull/62771 Types: Issue Tracking, Patch

Apache Software Foundation: https://lists.apache.org/thread/r4n5znb8mcq14wo9v8ndml36nxlksdqb Types: Mailing List, Vendor Advisory

CVE: http://www.openwall.com/lists/oss-security/2026/03/17/3 Types: Mailing List, Third Party Advisory

http://www.openwall.com/lists/oss-security/2026/03/17/3

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Apache Airflow versions 3.1.0 through 3.1.7 session token (_token) in cookies is set to path=/ regardless of the configured [webserver] base_url or [api] base_url.
This allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request headers, allowing full session takeover without attacking Airflow itself.

Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

CWE-668

https://github.com/apache/airflow/pull/62771

https://lists.apache.org/thread/r4n5znb8mcq14wo9v8ndml36nxlksdqb