PYSEC-2026-2369

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow-providers-keycloak/PYSEC-2026-2369.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2369
Aliases
Published
2026-07-13T15:02:51.078279Z
Modified
2026-07-13T16:31:28.985950984Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
Summary
apache-airflow-providers-keycloak: Missing OAuth 2.0 State and PKCE Enables Login CSRF and Session Fixation
Details

The Keycloak authentication manager in apache-airflow-providers-keycloak did not generate or validate the OAuth 2.0 state parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's browser and cause the victim to be logged into the attacker's Airflow session (login-CSRF / session fixation), where any credentials the victim subsequently stored in Airflow Connections would be harvestable by the attacker. Users are advised to upgrade apache-airflow-providers-keycloak to 0.7.0 or later.

References

Affected packages

PyPI / apache-airflow-providers-keycloak

Package

Name
apache-airflow-providers-keycloak
View open source insights on deps.dev
Purl
pkg:pypi/apache-airflow-providers-keycloak

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.0.1
Fixed
0.7.0

Affected versions

0.*
0.0.1
0.1.0rc1
0.1.0
0.2.0rc1
0.2.0
0.3.0rc1
0.3.0
0.4.0rc1
0.4.0
0.4.1rc1
0.4.1
0.5.0rc1
0.5.0
0.5.1rc1
0.5.1
0.5.2rc1
0.5.2
0.5.3rc1
0.5.3
0.6.0rc1
0.6.0
0.7.0rc1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow-providers-keycloak/PYSEC-2026-2369.yaml"