Aritra Basu

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions prior to 3.2.2 **Description** A bug in the login redirect route allows authenticated users to craft URLs that bypass the `is safe url` check. This enables the redirection of users from a trusted Airflow domain to an origin controlled by an attacker. The issue involves the `next=` query parameter. **Recommendations** Update to version 3.2.2 or later. Place Airflow behind a reverse proxy that strips off-domain `next=` query parameters before they reach the login endpoint.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions 3.1.0 through 3.1.7 **Description** Apache Airflow versions 3.1.0 through 3.1.7 contain a missing authorization issue within the Human-in-the-Loop (HITL) endpoints of the Execution API. This allows any authenticated task instance to perform actions—reading, approving, or rejecting—on HITL workflows belonging to other task instances. The HITL endpoints are part of the Execution API, which manages the execution of tasks within Airflow workflows. The issue stems from a lack of proper access controls, enabling unauthorized access and manipulation of HITL workflows. **Recommendations** Upgrade to Apache Airflow version 3.1.8 or later.