Apache · Apache Airflow · CVE-2026-40961
**Name of the Vulnerable Software and Affected Versions**
Apache Airflow versions prior to 3.2.2
**Description**
A bug in the login redirect route allows authenticated users to craft URLs that bypass the `is safe url` check. This enables the redirection of users from a trusted Airflow domain to an origin controlled by an attacker. The issue involves the `next=` query parameter.
**Recommendations**
Update to version 3.2.2 or later.
Place Airflow behind a reverse proxy that strips off-domain `next=` query parameters before they reach the login endpoint.