{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40948", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-04-16T00:13:13.957Z", "datePublished": "2026-04-18T13:22:41.577Z", "dateUpdated": "2026-04-20T16:17:53.543Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://pypi.python.org", "defaultStatus": "unaffected", "packageName": "apache-airflow-providers-keycloak", "product": "Apache Airflow Providers Keycloak", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "0.7.0", "status": "affected", "version": "0.0.1", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Haruki Oyama (Waseda University)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state` parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's browser and cause the victim to be logged into the attacker's Airflow session (login-CSRF / session fixation), where any credentials the victim subsequently stored in Airflow Connections would be harvestable by the attacker. Users are advised to upgrade `apache-airflow-providers-keycloak` to 0.7.0 or later."}], "value": "The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state` parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's browser and cause the victim to be logged into the attacker's Airflow session (login-CSRF / session fixation), where any credentials the victim subsequently stored in Airflow Connections would be harvestable by the attacker. Users are advised to upgrade `apache-airflow-providers-keycloak` to 0.7.0 or later."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-19T23:52:51.780Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/apache/airflow/pull/64114"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/kc0odpr70hbqhdb9ksnz42fkqz2xld9q"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Airflow Providers Keycloak: OAuth Login CSRF \u2014 Missing State Parameter in Keycloak Auth Manager", "x_generator": {"engine": "airflow-s/generate_cve_json.py"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/17/14"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-18T13:30:35.729Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T16:17:06.510314Z", "id": "CVE-2026-40948", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:17:53.543Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-40948", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T16:17:06.510314Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-20T16:17:46.616Z"}}], "cna": {"title": "Apache Airflow Providers Keycloak: OAuth Login CSRF \u2014 Missing State Parameter in Keycloak Auth Manager", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Haruki Oyama (Waseda University)"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Airflow Providers Keycloak", "versions": [{"status": "affected", "version": "0.0.1", "lessThan": "0.7.0", "versionType": "semver"}], "packageName": "apache-airflow-providers-keycloak", "collectionURL": "https://pypi.python.org", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/apache/airflow/pull/64114", "tags": ["patch"]}, {"url": "https://lists.apache.org/thread/kc0odpr70hbqhdb9ksnz42fkqz2xld9q", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "airflow-s/generate_cve_json.py"}, "descriptions": [{"lang": "en", "value": "The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state` parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's browser and cause the victim to be logged into the attacker's Airflow session (login-CSRF / session fixation), where any credentials the victim subsequently stored in Airflow Connections would be harvestable by the attacker. Users are advised to upgrade `apache-airflow-providers-keycloak` to 0.7.0 or later.", "supportingMedia": [{"type": "text/html", "value": "The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state` parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's browser and cause the victim to be logged into the attacker's Airflow session (login-CSRF / session fixation), where any credentials the victim subsequently stored in Airflow Connections would be harvestable by the attacker. Users are advised to upgrade `apache-airflow-providers-keycloak` to 0.7.0 or later.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-19T23:52:51.780Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40948", "state": "PUBLISHED", "dateUpdated": "2026-04-19T23:52:51.780Z", "dateReserved": "2026-04-16T00:13:13.957Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-18T13:22:41.577Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:apache-airflow-providers-keycloak:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA33FD2D-B2AE-43EE-B962-46CAFD5C0B1F", "versionEndExcluding": "0.7.0", "versionStartIncluding": "0.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state` parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's browser and cause the victim to be logged into the attacker's Airflow session (login-CSRF / session fixation), where any credentials the victim subsequently stored in Airflow Connections would be harvestable by the attacker. Users are advised to upgrade `apache-airflow-providers-keycloak` to 0.7.0 or later."}], "id": "CVE-2026-40948", "lastModified": "2026-05-11T15:09:48.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-18T14:16:10.897", "references": [{"source": "security@apache.org", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/apache/airflow/pull/64114"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/kc0odpr70hbqhdb9ksnz42fkqz2xld9q"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/04/17/14"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.1,0.7.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache Airflow", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "airflow", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-20T18:43:05.419777+00:00", "value": {"mitigation_remediation": ["Upgrade apache-airflow-providers-keycloak to 0.7.0 or later", "Verify that OAuth\u00a02.0 state validation is enabled in your Airflow configuration", "Restrict or monitor Keycloak realm access to prevent attackers from creating accounts in the same realm"], "summary": {"action": "Patch", "impact": "Session hijacking via login-CSRF"}, "threat_synthesis": {"affected_systems": "Apache Airflow installations that use the apache-airflow-providers-keycloak package prior to version 0.7.0 are impacted. The flaw exists in the OAuth handling component of the provider, so any deployment that relies on Keycloak for authentication and has not upgraded to the patched provider is vulnerable.", "description_and_impact": "The Keycloak authentication manager in apache-airflow-providers-keycloak failed to generate or validate the OAuth 2.0 state parameter and did not implement PKCE. During the login and login-callback flow a crafted callback URL can be sent to a victim\u2019s browser, causing the victim to be authenticated into the attacker\u2019s Airflow session. Any credentials the victim subsequently stores in Airflow Connections could then be harvested, effectively allowing credential theft without the victim\u2019s knowledge.", "risk_and_exploitability": "The vulnerability represents a classic cross\u2011site request forgery that results in session fixation. The CVSS score of 5.4 reflects moderate severity, and the EPSS score of < 1% indicates low likelihood of exploitation; the flaw is not listed in CISA KEV. Attackers with an account in the same Keycloak realm can deliver a malicious callback URL to a victim\u2019s browser, and the lack of a state parameter and PKCE simplifies the exploitation. The risk is primarily that an attacker can impersonate a victim and obtain their Airflow credentials. The likelihood of exploitation is unknown, but the impact is that any stored Airflow credentials could be compromised."}}}}, "created": "2026-04-18T15:30:03.823311+00:00", "updated": "2026-04-20T18:45:14.231112+00:00", "vendors": ["apache", "apache$PRODUCT$airflow"]}