CVE-2026-41017 - Vulnerability Details

- Apache Airflow: JWT cookie missing Secure flag in JWTRefreshMiddleware behind HTTPS-terminating proxy

Description

Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy (e.g. nginx / Envoy / a managed load balancer that terminates TLS and forwards plaintext to the API server, the default cloud-native topology) would have the user's session JWT replayed over any cleartext HTTP request to the same host. A network-positioned attacker (Wi-Fi MITM, hostile LAN, captive-portal proxy) could induce a logged-in user's browser to issue an HTTP request to the deployment's hostname and capture the JWT cookie out of that request, then replay it against the authenticated API. Affects deployments where the Airflow API server is reached through a TLS-terminating proxy and the cookie's secure-by-default protection is load-bearing for session integrity. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.

Published: 2026-06-01

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Apache Airflow’s JWTRefreshMiddleware does not set the Secure flag on the authentication cookie. When the API server is accessed through an HTTPS‑terminating proxy, the cookie can be transmitted over cleartext HTTP. A network‑positioned attacker who can force a user’s browser to make an HTTP request to the same host can capture the cookie and reuse it to authenticate to Airflow, effectively hijacking the user’s session. This flaw corresponds to CWE‑614 (Insecure Direct Object Reference).

Affected Systems

The vulnerability applies to any installation of Apache Airflow running Airflow API behind a TLS‑terminating reverse proxy (such as nginx, Envoy, or a cloud load balancer) that forwards unencrypted traffic to the Airflow server. All Airflow versions prior to 3.2.2 are impacted; users are advised to upgrade to 3.2.2 or later.

Risk and Exploitability

The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no publicly known exploitation at this time. However, because the attack requires a network adversary capable of inducing a browser to issue an HTTP request to the protected host, the condition is hard to satisfy in controlled environments but plausible in compromised or captive‑portal networks. Once the cookie is captured, the attacker can reuse it until it expires or is refreshed, granting unauthorized API access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache Airflow

unaffected

Version	Status	Constraints
`3.0.0`	affected	< 3.2.2

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Apache Airflow to version 3.2.2 or newer, where the JWT cookie is set with the Secure flag.
Configure the reverse proxy to reject any HTTP requests to the Airflow API or to enforce HTTPS for all traffic, ensuring that no cleartext requests can be made to the host.
Enable HTTP Strict Transport Security (HSTS) on the Airflow API endpoints to prevent browsers from sending requests over HTTP even if a direct link is provided.

Generated by OpenCVE AI on June 1, 2026 at 10:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/apache/airflow/pull/65348
https://lists.apache.org/thread/9jx0sk49c1250zflx0q3clc717qgjdch

History

Mon, 01 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy (e.g. nginx / Envoy / a managed load balancer that terminates TLS and forwards plaintext to the API server, the default cloud-native topology) would have the user's session JWT replayed over any cleartext HTTP request to the same host. A network-positioned attacker (Wi-Fi MITM, hostile LAN, captive-portal proxy) could induce a logged-in user's browser to issue an HTTP request to the deployment's hostname and capture the JWT cookie out of that request, then replay it against the authenticated API. Affects deployments where the Airflow API server is reached through a TLS-terminating proxy and the cookie's secure-by-default protection is load-bearing for session integrity. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
Title		Apache Airflow: JWT cookie missing Secure flag in JWTRefreshMiddleware behind HTTPS-terminating proxy
Weaknesses		CWE-614
References		https://github.com/apache/airflow/pull/65348 https://lists.apache.org/thread/9jx0sk49c1250zflx0q3clc717qgjdch

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-06-01T07:52:33.651Z

Updated: 2026-06-01T09:52:28.578Z

Reserved: 2026-04-16T02:56:54.451Z

Link: CVE-2026-41017

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-01T09:16:18.343

Modified: 2026-06-01T09:16:18.343

Link: CVE-2026-41017

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-01T10:30:26Z

Weaknesses

CWE-614

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object