Skip to main content

Apache CVE-2026-40948

| EUVDEUVD-2026-23676 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-18 apache GHSA-5w6h-pjw6-wvc6
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

6
Analysis Generated
Apr 20, 2026 - 17:54 vuln.today
CVSS changed
Apr 20, 2026 - 17:52 NVD
5.4 (MEDIUM)
EUVD ID Assigned
Apr 18, 2026 - 13:45 euvd
EUVD-2026-23676
Analysis Generated
Apr 18, 2026 - 13:45 vuln.today
Patch released
Apr 18, 2026 - 13:45 nvd
Patch available
CVE Published
Apr 18, 2026 - 13:22 nvd
MEDIUM 5.4

DescriptionCVE.org

The Keycloak authentication manager in apache-airflow-providers-keycloak did not generate or validate the OAuth 2.0 state parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's browser and cause the victim to be logged into the attacker's Airflow session (login-CSRF / session fixation), where any credentials the victim subsequently stored in Airflow Connections would be harvestable by the attacker. Users are advised to upgrade apache-airflow-providers-keycloak to 0.7.0 or later.

AnalysisAI

Session fixation and login-CSRF in apache-airflow-providers-keycloak prior to 0.7.0 allows remote attackers without prior authentication to hijack user sessions by delivering a crafted OAuth callback URL, enabling credential theft from stored Airflow connections. The vulnerability stems from missing OAuth 2.0 state parameter validation and lack of PKCE implementation, requiring only user interaction to trick victims into clicking a malicious link. EPSS score of 0.01% suggests minimal real-world exploitation despite moderate CVSS impact rating.

Technical ContextAI

The vulnerability exists in the OAuth 2.0 authentication flow implementation within the Keycloak provider for Apache Airflow. OAuth 2.0 requires the Authorization Server to return a state parameter matching the client's original request to prevent CSRF attacks; additionally, PKCE (RFC 7636) adds a code_challenge/code_verifier binding to prevent authorization code interception. The apache-airflow-providers-keycloak authentication manager implements neither control. An attacker with a valid Keycloak account in the target realm can forge a callback URL containing a valid authorization code (obtained from their own authentication) and deliver it to a victim. When the victim's browser processes this callback, the Airflow application accepts the authorization code without validating state parameter or PKCE, treating the attacker's valid code as proof of the victim's authentication. This is classified as CWE-352 (Cross-Site Request Forgery), manifesting as session fixation rather than traditional CSRF because the victim is authenticated into the attacker's pre-established session rather than performing an unwanted action on their own session.

RemediationAI

Upgrade apache-airflow-providers-keycloak to version 0.7.0 or later, which implements OAuth 2.0 state parameter validation and PKCE support as documented in GitHub PR #64114 and the Apache mailing list advisory. For organizations unable to immediately upgrade, temporary mitigations include disabling Keycloak OAuth 2.0 authentication in favor of alternative authentication backends (LDAP, local database authentication) - note that this eliminates SSO benefits and requires credential management changes; alternatively, strictly limit Keycloak realm membership to trusted users and implement network-level controls restricting Airflow login endpoints to corporate networks only, though these do not eliminate the vulnerability. The preferred remediation is immediate patching, as workarounds introduce operational friction and do not address the root cause.

Share

CVE-2026-40948 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy