Vulnerability in Apache Software Foundation Airflow

CVE-2026-28779

Apache Airflow versions 3.1.0 through 3.1.7 session token (_token) in cookies is set to path=/ regardless of the configured [webserver] base_url or [api] base_url. This allows any application co-hosted under the same domain to capture vali…

EPSS: 0.000 (9.2th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Airflow — versions 3.0.0

Weakness classification (CWE)

CWE-668 — Exposure of Resource to Wrong Sphere

References

github.com/apache/airflow/pull/62771 (patch)
lists.apache.org/thread/r4n5znb8mcq14wo9v8ndml36nxlksdqb (vendor-advisory)