Description
In AWS Auth manager, the origin of the SAML authentication has been used as provided by the client and not verified against the actual instance URL. 
This allowed to gain access to different instances with potentially different access controls by reusing SAML response from other instances.

You should upgrade to 9.22.0 version of provider if you use AWS Auth Manager.
Published: 2026-03-09
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch
AI Analysis

Impact

In the AWS Auth Manager, the SAML authentication process trusts the origin supplied by the client without validating it against the actual instance URL. This flaw allows an attacker to craft a Host header that points to a different Airflow instance and reuse a SAML response generated for that instance to gain access. The result is an authentication bypass that can expose data or controls belonging to separate Airflow deployments. The underlying weakness is a host header injection, identified as CWE‑346.

Affected Systems

The vulnerability affects the Apache Airflow Providers Amazon package, used in Apache Airflow deployments that enable the AWS Auth Manager. The specific versions impacted are those preceding the release that introduced the fix; upgrading to version 9.22.0 or later removes the issue.

Risk and Exploitability

The CVSS score for this flaw is 5.4, indicating moderate severity, and the EPSS score is below 1%, showing a low probability of exploitation at present. The issue is not listed in the CISA KEV catalog. Exploitation requires an attacker to send requests with a manipulated Host header and provide a valid SAML response from another instance. Once the request is accepted, the authentication bypass occurs, potentially granting the attacker unauthorized access to protected resources.

Generated by OpenCVE AI on April 16, 2026 at 10:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Apache Airflow Providers Amazon package to version 9.22.0 or later, which removes the insecure origin handling in AWS Auth Manager.
  • Disable or remove the AWS Auth Manager functionality if it is not required, to eliminate the vulnerable code path.
  • Configure Airflow to validate the Origin header or enforce strict host checks for all SAML requests, ensuring that SAML responses are only accepted from the intended instance.
  • Monitor Airflow logs for unexpected Host header values or SAML authentication attempts, and investigate any anomalies promptly.

Generated by OpenCVE AI on April 16, 2026 at 10:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rv5f-ccpm-xjj4 Apache Airflow AWS Auth Manager has Host Header Injection Leading to SAML Authentication Bypass
History

Tue, 10 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache airflow Providers Amazon
CPEs cpe:2.3:a:apache:airflow_providers_amazon:*:*:*:*:*:*:*:*
Vendors & Products Apache airflow Providers Amazon

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache apache-airflow-providers-amazon
Vendors & Products Apache
Apache apache-airflow-providers-amazon

Mon, 09 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
References

Mon, 09 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
Description In AWS Auth manager, the origin of the SAML authentication has been used as provided by the client and not verified against the actual instance URL.  This allowed to gain access to different instances with potentially different access controls by reusing SAML response from other instances. You should upgrade to 9.22.0 version of provider if you use AWS Auth Manager.
Title Apache Airflow AWS Auth Manager - Host Header Injection Leading to SAML Authentication Bypass
Weaknesses CWE-346
References

Subscriptions

Apache Airflow Providers Amazon Apache-airflow-providers-amazon
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-03-09T16:48:12.786Z

Reserved: 2026-02-03T09:59:31.342Z

Link: CVE-2026-25604

cve-icon Vulnrichment

Updated: 2026-03-09T12:09:58.818Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-09T11:16:06.077

Modified: 2026-03-10T18:58:48.887

Link: CVE-2026-25604

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:30:16Z

Weaknesses