Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
6DescriptionCVE.org
The Keycloak authentication manager in apache-airflow-providers-keycloak did not generate or validate the OAuth 2.0 state parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's browser and cause the victim to be logged into the attacker's Airflow session (login-CSRF / session fixation), where any credentials the victim subsequently stored in Airflow Connections would be harvestable by the attacker. Users are advised to upgrade apache-airflow-providers-keycloak to 0.7.0 or later.
AnalysisAI
Session fixation and login-CSRF in apache-airflow-providers-keycloak prior to 0.7.0 allows remote attackers without prior authentication to hijack user sessions by delivering a crafted OAuth callback URL, enabling credential theft from stored Airflow connections. The vulnerability stems from missing OAuth 2.0 state parameter validation and lack of PKCE implementation, requiring only user interaction to trick victims into clicking a malicious link. EPSS score of 0.01% suggests minimal real-world exploitation despite moderate CVSS impact rating.
Technical ContextAI
The vulnerability exists in the OAuth 2.0 authentication flow implementation within the Keycloak provider for Apache Airflow. OAuth 2.0 requires the Authorization Server to return a state parameter matching the client's original request to prevent CSRF attacks; additionally, PKCE (RFC 7636) adds a code_challenge/code_verifier binding to prevent authorization code interception. The apache-airflow-providers-keycloak authentication manager implements neither control. An attacker with a valid Keycloak account in the target realm can forge a callback URL containing a valid authorization code (obtained from their own authentication) and deliver it to a victim. When the victim's browser processes this callback, the Airflow application accepts the authorization code without validating state parameter or PKCE, treating the attacker's valid code as proof of the victim's authentication. This is classified as CWE-352 (Cross-Site Request Forgery), manifesting as session fixation rather than traditional CSRF because the victim is authenticated into the attacker's pre-established session rather than performing an unwanted action on their own session.
RemediationAI
Upgrade apache-airflow-providers-keycloak to version 0.7.0 or later, which implements OAuth 2.0 state parameter validation and PKCE support as documented in GitHub PR #64114 and the Apache mailing list advisory. For organizations unable to immediately upgrade, temporary mitigations include disabling Keycloak OAuth 2.0 authentication in favor of alternative authentication backends (LDAP, local database authentication) - note that this eliminates SSO benefits and requires credential management changes; alternatively, strictly limit Keycloak realm membership to trusted users and implement network-level controls restricting Airflow login endpoints to corporate networks only, though these do not eliminate the vulnerability. The preferred remediation is immediate patching, as workarounds introduce operational friction and do not address the root cause.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23676
GHSA-5w6h-pjw6-wvc6