CVE-2026-40948

| EUVD-2026-23676 MEDIUM
2026-04-18 apache
Apache CSRF
5.4
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 20, 2026 - 17:54 vuln.today
CVSS Changed
Apr 20, 2026 - 17:52 NVD
5.4 (MEDIUM)

DescriptionNVD

The Keycloak authentication manager in apache-airflow-providers-keycloak did not generate or validate the OAuth 2.0 state parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's browser and cause the victim to be logged into the attacker's Airflow session (login-CSRF / session fixation), where any credentials the victim subsequently stored in Airflow Connections would be harvestable by the attacker. Users are advised to upgrade apache-airflow-providers-keycloak to 0.7.0 or later.

AnalysisAI

Session fixation and login-CSRF in apache-airflow-providers-keycloak prior to 0.7.0 allows remote attackers without prior authentication to hijack user sessions by delivering a crafted OAuth callback URL, enabling credential theft from stored Airflow connections. The vulnerability stems from missing OAuth 2.0 state parameter validation and lack of PKCE implementation, requiring only user interaction to trick victims into clicking a malicious link. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-40948 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy