CVE-2026-40948

Name of the Vulnerable Software and Affected Versions apache-airflow-providers-keycloak versions prior to 0.7.0

Description The Keycloak authentication manager fails to generate or validate the OAuth 2.0 state parameter during the login and login-callback flow and does not implement PKCE (Proof Key for Code Exchange), a security extension to OAuth 2.0 that prevents authorization code injection. An attacker with a Keycloak account in the same realm can deliver a crafted callback URL to a victim's browser, forcing the victim to be logged into the attacker's Airflow session. This login-CSRF or session fixation allows the attacker to harvest any credentials the victim subsequently stores in Airflow Connections.

Recommendations Upgrade to version 0.7.0 or later.