Junghan Lee

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions prior to 1.10.14 **Description** The issue is related to incorrect session validation in the Apache Airflow web server, caused by the use of a default configuration that includes a pre-set `secret key`. This allows a malicious user to access an unauthorized Airflow web server on a different site using a session from the original site. The problem arises from the use of a temporary key in the default `airflow.cfg` configuration file, which is the same for all installations. As a result, a session cookie validated on one Airflow server is also valid for another server. **Recommendations** For Apache Airflow versions prior to 1.10.14, change the default value for the `[webserver] secret key` configuration to prevent unauthorized access. As a temporary workaround, consider restricting access to the Airflow web server until the issue is resolved.