Description
Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy (e.g. nginx / Envoy / a managed load balancer that terminates TLS and forwards plaintext to the API server, the default cloud-native topology) would have the user's session JWT replayed over any cleartext HTTP request to the same host. A network-positioned attacker (Wi-Fi MITM, hostile LAN, captive-portal proxy) could induce a logged-in user's browser to issue an HTTP request to the deployment's hostname and capture the JWT cookie out of that request, then replay it against the authenticated API. Affects deployments where the Airflow API server is reached through a TLS-terminating proxy and the cookie's secure-by-default protection is load-bearing for session integrity. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
Published: 2026-06-01
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache Airflow’s JWTRefreshMiddleware does not set the Secure flag on the authentication cookie. When the API server is accessed through an HTTPS‑terminating proxy, the cookie can be transmitted over cleartext HTTP. A network‑positioned attacker who can force a user’s browser to make an HTTP request to the same host can capture the cookie and reuse it to authenticate to Airflow, effectively hijacking the user’s session. This flaw corresponds to CWE‑614 (Insecure Direct Object Reference).

Affected Systems

The vulnerability applies to any installation of Apache Airflow running Airflow API behind a TLS‑terminating reverse proxy (such as nginx, Envoy, or a cloud load balancer) that forwards unencrypted traffic to the Airflow server. All Airflow versions prior to 3.2.2 are impacted; users are advised to upgrade to 3.2.2 or later.

Risk and Exploitability

The EPSS score is < 1% and the vulnerability is not listed in CISA’s KEV catalog, suggesting no publicly known exploitation at this time. However, because the attack requires a network adversary capable of inducing a user’s browser to make an HTTP request to the same host, the condition is hard to satisfy in controlled environments but plausible in compromised or captive‑portal networks. Once the cookie is captured, the attacker can reuse it until it expires or is refreshed, granting unauthorized API access. The CVSS score is 5.9.

Generated by OpenCVE AI on June 1, 2026 at 18:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Airflow to version 3.2.2 or newer, where the JWT cookie is set with the Secure flag.
  • Configure the reverse proxy to reject any HTTP requests to the Airflow API or to enforce HTTPS for all traffic, ensuring that no cleartext requests can be made to the host.
  • Enable HTTP Strict Transport Security (HSTS) on the Airflow API endpoints to prevent browsers from sending requests over HTTP even if a direct link is provided.

Generated by OpenCVE AI on June 1, 2026 at 18:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 01 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
References

Mon, 01 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow
Vendors & Products Apache
Apache airflow

Mon, 01 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy (e.g. nginx / Envoy / a managed load balancer that terminates TLS and forwards plaintext to the API server, the default cloud-native topology) would have the user's session JWT replayed over any cleartext HTTP request to the same host. A network-positioned attacker (Wi-Fi MITM, hostile LAN, captive-portal proxy) could induce a logged-in user's browser to issue an HTTP request to the deployment's hostname and capture the JWT cookie out of that request, then replay it against the authenticated API. Affects deployments where the Airflow API server is reached through a TLS-terminating proxy and the cookie's secure-by-default protection is load-bearing for session integrity. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
Title Apache Airflow: JWT cookie missing Secure flag in JWTRefreshMiddleware behind HTTPS-terminating proxy
Weaknesses CWE-614
References

Subscriptions

Apache Airflow
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-02T16:42:57.675Z

Reserved: 2026-04-16T02:56:54.451Z

Link: CVE-2026-41017

cve-icon Vulnrichment

Updated: 2026-06-01T09:52:28.578Z

cve-icon NVD

Status : Modified

Published: 2026-06-01T09:16:18.343

Modified: 2026-06-02T17:16:31.207

Link: CVE-2026-41017

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T18:45:34Z

Weaknesses
  • CWE-614

    Sensitive Cookie in HTTPS Session Without 'Secure' Attribute