PT-2026-24054 · Apache · Apache Airflow
Sungwuk Jung
·
Published
2026-03-09
·
Updated
2026-03-09
·
CVE-2026-25604
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Airflow versions prior to 9.22.0
Description
The AWS Auth Manager in Apache Airflow did not verify the origin of SAML authentication against the actual instance URL, relying instead on information provided by the client. This allowed for potential access to different instances with varying access controls by reusing SAML responses from other instances.
Recommendations
Upgrade to version 9.22.0 of the AWS Auth Manager provider.
Fix
Origin Validation Error
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Airflow