CVE-2026-28779

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-28779

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28779.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-28779

Aliases

Downstream

MINI-7rg2-8mqc-5fr8

Published

2026-03-17T11:16:11.790Z

Modified

2026-04-10T05:41:24.778149Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Apache Airflow versions 3.1.0 through 3.1.7 session token (token) in cookies is set to path=/ regardless of the configured [webserver] baseurl or [api] base_url. This allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request headers, allowing full session takeover without attacking Airflow itself.

Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

References

Affected packages

Git / github.com/apache/airflow

Affected ranges

Type

GIT

Repo

https://github.com/apache/airflow

Events

Introduced

1fc3442f1307fdf5e1221b26f41266c4fed330d3

Fixed

6b42e8020f6d21ca892b0d1dc21c60469fef6e5f

Database specific

{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.1.8"
        }
    ]
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28779.json"