CVE-2026-41017

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.2.2

Description The JWTRefreshMiddleware sets the JWT authentication cookie without the Secure flag. In deployments where the Airflow API server is positioned behind an HTTPS-terminating reverse proxy, the session JWT can be replayed over cleartext HTTP requests to the same host. A network-positioned attacker could induce a logged-in user's browser to issue an HTTP request to the hostname, capture the JWT cookie, and replay it against the authenticated API.

Recommendations Upgrade to version 3.2.2 or later.