Primary

Context

Apache Airflow Session Token Path Vulnerability Allowing Session Hijacking

Vulnerability

Patched

A vulnerability exists in Apache Airflow versions 3.1.0 to 3.1.7, where the session token in cookies is set to the root path, regardless of the configured webserver or API base URLs. This misconfiguration allows any application co-hosted under the same domain to intercept valid Airflow session tokens from HTTP request headers, enabling full session takeover without directly attacking Airflow. Users are advised to upgrade to Apache Airflow 3.1.8 or later, which addresses this issue.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can take over a user's session in Airflow by capturing the session token from cookies.

Remediation

Users should upgrade to Apache Airflow version 3.1.8 or later.

Added: Mar 17, 2026, 11:26 AM

Updated: Mar 17, 2026, 11:26 AM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

1.3

exploitability

4.1

remediation

7.7

relevance

4.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

1.3

exploitability

4.1

remediation

7.7

relevance

4.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Airflow Session Token Path Vulnerability Allowing Session Hijacking

Vulnerability

Impact

Remediation

Affected Products

Apache Airflow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating