The Keycloak authentication manager in apache-airflow-providers-keycloak failed to generate or validate the OAuth 2.0 state parameter and did not implement PKCE. During the login and login-callback flow a crafted callback URL can be sent to a victim’s browser, causing the victim to be authenticated into the attacker’s Airflow session. Any credentials the victim subsequently stores in Airflow Connections could then be harvested, effectively allowing credential theft without the victim’s knowledge.

Apache Airflow installations that use the apache-airflow-providers-keycloak package prior to version 0.7.0 are impacted. The flaw exists in the OAuth handling component of the provider, so any deployment that relies on Keycloak for authentication and has not upgraded to the patched provider is vulnerable.

The vulnerability represents a classic cross‑site request forgery that results in session fixation. No CVSS score is present in the CVE data and the EPSS score is unavailable; the flaw is not listed in CISA KEV. Attackers with an account in the same Keycloak realm can deliver a malicious callback URL to a victim’s browser, and the lack of a state parameter and PKCE simplifies the exploitation. The risk is primarily that an attacker can impersonate a victim and obtain their Airflow credentials. The likelihood of exploitation is unknown, but the impact is that any stored Airflow credentials could be compromised.