Skip to main content

Apache Airflow EUVDEUVD-2026-33593

| CVE-2026-41017 MEDIUM
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CWE-614)
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Source Code Evidence Fetched
Jun 01, 2026 - 17:27 vuln.today
Analysis Generated
Jun 01, 2026 - 17:27 vuln.today
CVSS changed
Jun 01, 2026 - 17:22 NVD
5.9 (MEDIUM)
Patch available
Jun 01, 2026 - 10:01 EUVD
CVE Published
May 31, 2026 - 12:45 nvd
UNKNOWN (no severity yet)
CVE Published
May 31, 2026 - 12:45 nvd
MEDIUM 5.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 pypi packages depend on apache-airflow (2 direct, 2 indirect)

Ecosystem-wide dependent count for version 3.0.0.

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

JWT session cookies in Apache Airflow's JWTRefreshMiddleware are set without the Secure flag when Airflow runs behind an HTTPS-terminating reverse proxy, exposing them to network interception. Affected versions span Apache Airflow 3.0.0 through 3.2.1 (exclusive), where the middleware checked only for a local ssl_cert configuration setting to determine cookie security - missing the common deployment pattern where TLS is offloaded at a load balancer or proxy layer. An unauthenticated network adversary positioned for man-in-the-middle interception could capture a user's JWT refresh cookie and take over their authenticated session. No public exploit code or CISA KEV listing exists at time of analysis; EPSS of 0.01% reflects low automated exploitation likelihood.

Technical ContextAI

The vulnerable component is JWTRefreshMiddleware in airflow-core/src/airflow/api_fastapi/auth/middlewares/refresh_token.py, part of Airflow's FastAPI-based REST API surface. The middleware issues a refreshed JWT cookie on authenticated requests; the secure attribute of that Set-Cookie header was computed solely as bool(conf.get('api', 'ssl_cert', fallback='')). In standard reverse-proxy deployments (nginx, AWS ALB, GCP Load Balancer), TLS terminates at the proxy, and Airflow receives plain HTTP internally - so ssl_cert is typically unconfigured. CWE-614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute) directly describes this class: absent the Secure flag, browsers will transmit the cookie on any HTTP request, not just HTTPS, allowing interception. The fix in PR #65348 augments the condition to also check request.base_url.scheme == 'https', which is populated from forwarded headers by the proxy. CPE cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:* confirms the affected artifact is the Apache Airflow core package.

RemediationAI

Vendor-released patch: Apache Airflow 3.2.2, which incorporates the fix from GitHub PR #65348 (https://github.com/apache/airflow/pull/65348). Upgrading to 3.2.2 or later is the recommended and definitive remediation. As a compensating control for operators who cannot immediately upgrade, configuring the ssl_cert setting under the [api] section of airflow.cfg to a valid certificate path will trigger the secure flag even in the buggy code path - though this may require Airflow to handle TLS directly, altering the deployment architecture. Alternatively, ensuring all user-facing paths strictly enforce HTTPS with HSTS headers at the proxy layer (preventing browser fallback to HTTP) reduces the practical window for cookie interception. Neither compensating control fully resolves the root cause; upgrade to 3.2.2 is the only complete fix. Advisory references: https://lists.apache.org/thread/9jx0sk49c1250zflx0q3clc717qgjdch and https://vuldb.com/vuln/367558.

Share

EUVD-2026-33593 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy