oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2026-40948: Apache Airflow Keycloak Provider: OAuth Login CSRF — Missing State Parameter in Keycloak Auth Manager

From: Jarek Potiuk <potiuk () apache org>
Date: Fri, 17 Apr 2026 17:00:40 +0000
Severity: low 

Affected versions:

- Apache Airflow Keycloak Provider (apache-airflow-providers-keycloak) 0.0.1 before 0.7.0

Description:

The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 
`state` parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the 
same realm could deliver a crafted callback URL to a victim's browser and cause the victim to be logged into the 
attacker's Airflow session (login-CSRF / session fixation), where any credentials the victim subsequently stored in 
Airflow Connections would be harvestable by the attacker. Users are advised to upgrade 
`apache-airflow-providers-keycloak` to 0.7.0 or later.

Credit:

Haruki Oyama (Waseda University) (finder)
Aritra Basu (remediation developer)

References:

https://github.com/apache/airflow/pull/64114
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-40948
Previous By Date Next
Previous By Thread Next

Current thread: