Description
The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state` parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's browser and cause the victim to be logged into the attacker's Airflow session (login-CSRF / session fixation), where any credentials the victim subsequently stored in Airflow Connections would be harvestable by the attacker. Users are advised to upgrade `apache-airflow-providers-keycloak` to 0.7.0 or later.
Published: 2026-04-18
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Session hijacking via login-CSRF
Action: Patch
AI Analysis

Impact

The Keycloak authentication manager in apache-airflow-providers-keycloak failed to generate or validate the OAuth 2.0 state parameter and did not implement PKCE. During the login and login-callback flow a crafted callback URL can be sent to a victim’s browser, causing the victim to be authenticated into the attacker’s Airflow session. Any credentials the victim subsequently stores in Airflow Connections could then be harvested, effectively allowing credential theft without the victim’s knowledge.

Affected Systems

Apache Airflow installations that use the apache-airflow-providers-keycloak package prior to version 0.7.0 are impacted. The flaw exists in the OAuth handling component of the provider, so any deployment that relies on Keycloak for authentication and has not upgraded to the patched provider is vulnerable.

Risk and Exploitability

The vulnerability represents a classic cross‑site request forgery that results in session fixation. The CVSS score of 5.4 reflects moderate severity, and the EPSS score of < 1% indicates low likelihood of exploitation; the flaw is not listed in CISA KEV. Attackers with an account in the same Keycloak realm can deliver a malicious callback URL to a victim’s browser, and the lack of a state parameter and PKCE simplifies the exploitation. The risk is primarily that an attacker can impersonate a victim and obtain their Airflow credentials. The likelihood of exploitation is unknown, but the impact is that any stored Airflow credentials could be compromised.

Generated by OpenCVE AI on April 20, 2026 at 18:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade apache-airflow-providers-keycloak to 0.7.0 or later
  • Verify that OAuth 2.0 state validation is enabled in your Airflow configuration
  • Restrict or monitor Keycloak realm access to prevent attackers from creating accounts in the same realm

Generated by OpenCVE AI on April 20, 2026 at 18:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5w6h-pjw6-wvc6 apache-airflow-providers-keycloak: Missing OAuth 2.0 State and PKCE Enables Login CSRF and Session Fixation
History

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Title Apache Airflow: OAuth Login CSRF — Missing State Parameter in Keycloak Auth Manager Apache Airflow Providers Keycloak: OAuth Login CSRF — Missing State Parameter in Keycloak Auth Manager

Sat, 18 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow
Vendors & Products Apache
Apache airflow

Sat, 18 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
References

Sat, 18 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state` parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's browser and cause the victim to be logged into the attacker's Airflow session (login-CSRF / session fixation), where any credentials the victim subsequently stored in Airflow Connections would be harvestable by the attacker. Users are advised to upgrade `apache-airflow-providers-keycloak` to 0.7.0 or later.
Title Apache Airflow: OAuth Login CSRF — Missing State Parameter in Keycloak Auth Manager
Weaknesses CWE-352
References

Subscriptions

Apache Airflow
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-20T16:17:53.543Z

Reserved: 2026-04-16T00:13:13.957Z

Link: CVE-2026-40948

cve-icon Vulnrichment

Updated: 2026-04-20T16:17:46.616Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-18T14:16:10.897

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-40948

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:45:14Z

Weaknesses