Volerion logoVolerion
Volerion logoVolerion

Apache Airflow Fab Provider Insufficient Session Expiration Vulnerability

Vulnerability

A vulnerability exists in Apache Airflow Fab Provider versions prior to 1.5.2, where sessions are not properly invalidated after a user password is changed via the admin CLI. This oversight allows users to remain logged in even after their password has been updated. In contrast, password changes made through the web interface do not exhibit this issue. This vulnerability is distinct from CVE-2023-40273, which has already been addressed in Apache Airflow 2.7.0.

Impact

Exploitation of this vulnerability allows for insufficient session expiration, enabling users to remain logged in after their password has been changed.

Reproduction

To reproduce this vulnerability, change a user's password using the Apache Airflow admin CLI. After the password is changed, the user will still be logged in, as the session has not been invalidated. This issue does not occur when the password is changed through the web interface.

Remediation

Users are advised to upgrade to Apache Airflow Fab Provider version 1.5.2 or later, which resolves this vulnerability.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
1.4
impact
0.6
exploitability
5.8
remediation
7.7
relevance
0.0
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.