CVE-2026-28779 - Vulnerability Details

- Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications

Description

Apache Airflow versions 3.1.0 through 3.1.7 session token (_token) in cookies is set to path=/ regardless of the configured [webserver] base_url or [api] base_url.
This allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request headers, allowing full session takeover without attacking Airflow itself.

Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

Published: 2026-03-17

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Apache Airflow versions 3.1.0 through 3.1.7 set the session token cookie (_token) to path=’/’ regardless of the configured base_url. Key detail from the CVE description: this oversight allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request headers, resulting in session hijacking. The vulnerability is classified as CWE-668 (Improper Limit on a Functionality). The impact is that an attacker who obtains a legitimate session token can perform actions on behalf of the authenticated user, potentially modifying workflows, accessing sensitive data, or escalating privileges.

Affected Systems

Known affected vendor: Apache Software Foundation – Apache Airflow. Impacted releases are 3.1.0 through 3.1.7. No information is provided about older versions or higher major releases, nor for other vendors’ products.

Risk and Exploitability

CVSS score of 7.5 indicates high severity. EPSS score is listed as <1%, suggesting a low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. The attack requires a co-hosted application on the same top-level domain, which is a reasonably achievable condition in shared hosting environments. An attacker can collect the cookie from incoming request headers and reuse the token to hijack an Airflow session.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache Airflow

unaffected

Version	Status	Constraints
`3.0.0`	affected	< 3.1.8

Configuration 1 [-]

cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Apache

Airflow

95%

Version	Status	Scheme	Platform
`[3.0.0,3.1.8)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Apache Airflow to version 3.1.8 or newer, which resolves the cookie path issue.

Generated by OpenCVE AI on March 17, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-4fhm-p86v-hwpx	Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00091.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/03/17/3
https://github.com/apache/airflow/pull/62771
https://lists.apache.org/thread/r4n5znb8mcq14wo9v8ndml36nxlksdqb

History

Tue, 17 Mar 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache airflow
CPEs		cpe:2.3:a:apache:airflow::::::::
Vendors & Products		Apache Apache airflow

Tue, 17 Mar 2026 14:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/03/17/3

Tue, 17 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 17 Mar 2026 10:30:00 +0000

Type	Values Removed	Values Added
Description		Apache Airflow versions 3.1.0 through 3.1.7 session token (_token) in cookies is set to path=/ regardless of the configured [webserver] base_url or [api] base_url. This allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request headers, allowing full session takeover without attacking Airflow itself. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.
Title		Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications
Weaknesses		CWE-668
References		https://github.com/apache/airflow/pull/62771 https://lists.apache.org/thread/r4n5znb8mcq14wo9v8ndml36nxlksdqb

Subscriptions

Apache Airflow

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-03-17T10:15:59.132Z

Updated: 2026-03-17T13:45:02.518Z

Reserved: 2026-03-03T10:12:24.113Z

Link: CVE-2026-28779

Vulnrichment

Updated: 2026-03-17T13:32:03.724Z

NVD

Status : Analyzed

Published: 2026-03-17T11:16:11.790

Modified: 2026-03-17T17:42:17.580

Link: CVE-2026-28779

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-24T10:49:25Z

Weaknesses

CWE-668

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object