CVE-2026-28779

Name of the Vulnerable Software and Affected Versions Apache Airflow versions 3.1.0 through 3.1.7

Description The session token ( token) in cookies for Apache Airflow is set to path=/ regardless of the configured base url for the webserver or api. This allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request headers, potentially leading to a full session takeover without directly attacking Airflow. The base url configuration determines the path prefix for Airflow web application URLs. When the session token path is not correctly aligned with the base url, it becomes vulnerable to cross-site scripting (XSS) and session hijacking attacks.

Recommendations Upgrade to Apache Airflow version 3.1.8 or later to resolve this issue.