Daniel Wolf

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions 3.1.0 through 3.1.7 **Description** The session token (` token`) in cookies for Apache Airflow is set to path=/ regardless of the configured `base url` for the `webserver` or `api`. This allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request headers, potentially leading to a full session takeover without directly attacking Airflow. The `base url` configuration determines the path prefix for Airflow web application URLs. When the session token path is not correctly aligned with the `base url`, it becomes vulnerable to cross-site scripting (XSS) and session hijacking attacks. **Recommendations** Upgrade to Apache Airflow version 3.1.8 or later to resolve this issue.