What is CVE-2026-40961?

CVE-2026-40961 is a high-severity vulnerability in Apache Airflow, classified under URL Redirection to Untrusted Site (Open Redirect). CVSS score: 7.2/10. Published 2026-06-01.

How severe is CVE-2026-40961?

High severity. CVSS v3 base score is 7.2 out of 10.

Open Redirect in Apache Airflow

CVE-2026-40961

A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that bypassed the `is_safe_url` check, enabling redirection from a trusted Airflow domain to an attacker-controlled origin. Users are advised to…

Vulnerability class: Open Redirect

EPSS: 0.001 (24.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.2 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N.

Affected products

Apache Airflow
Apache Software Foundation Airflow — versions 3.0.0

Weakness classification (CWE)

CWE-601 — URL Redirection to Untrusted Site (Open Redirect)

References

security@apache.org (Patch, patch, Issue Tracking)
security@apache.org (vendor-advisory, Mailing List, Vendor Advisory)
af854a3a-2127-422b-91ae-364da2661108 (Mailing List, Third Party Advisory)

Frequently asked questions

What is CVE-2026-40961?: CVE-2026-40961 is a high-severity vulnerability in Apache Airflow, classified under URL Redirection to Untrusted Site (Open Redirect). CVSS score: 7.2/10. Published 2026-06-01.
How severe is CVE-2026-40961?: High severity. CVSS v3 base score is 7.2 out of 10.