Thuong Nguyen

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions prior to 2.7.0 **Description** The issue is related to a session fixation vulnerability in the Airflow web interface, allowing an authenticated user to continue accessing the webserver even after their password has been reset by an admin. This vulnerability can be exploited by a remote attacker to hijack a user's session. When using the database session backend, existing sessions of the user are invalidated when the password is reset. However, when using the securecookie session backend, sessions are not invalidated and require changing the secure key and restarting the webserver. Users resetting their passwords are informed about this with a flash message warning in the UI. **Recommendations** Upgrade to Apache Airflow version 2.7.0 or newer to mitigate the risk associated with this issue. As a temporary workaround, consider manually cleaning the session database for the database session backend or changing the secure key and restarting the webserver for the securecookie session backend.