CVE-2026-28779

high

Description

Apache Airflow versions 3.1.0 through 3.1.7 session token (_token) in cookies is set to path=/ regardless of the configured [webserver] base_url or [api] base_url. This allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request headers, allowing full session takeover without attacking Airflow itself. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

References

Advisories
More

https://lists.apache.org/thread/r4n5znb8mcq14wo9v8ndml36nxlksdqb

http://www.openwall.com/lists/oss-security/2026/03/17/3

https://github.com/apache/airflow/pull/62771

Details

Source: Mitre, NVD

Published: 2026-03-17

Updated: 2026-03-17

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High

EPSS

EPSS: 0.00018