Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications

Vulnerability

Overview

CVE-2026-28779 affects Apache Airflow versions 3.1.0 through 3.1.7. The session token (_token) cookie is always set with path=/, ignoring the configured [webserver] base_url or [api] base_url [2][3]. This means the cookie is sent by the browser to every path under the domain, not just the Airflow application's intended path.

Exploitation

Scenario

An attacker does not need not compromise Airflow itself. Any other application hosted on the same domain (e.g., a different web app on example.com/other) can read the _token cookie from incoming HTTP requests. The attacker can then use that stolen session token to impersonate the victim user against the Airflow instance [2][3]. No authentication bypass or code execution in Airflow is required; the flaw is purely in cookie scoping.

Impact

Successful exploitation leads to full session takeover. An attacker gains the same privileges as the victim user within Airflow, potentially allowing them to view, modify, or delete workflows, access sensitive data, and perform any actions the victim could [2][3]. The CVSS 4.0 vector has not yet been assigned by NVD, but the issue is rated Medium severity by the Apache project [3].

Mitigation

The fix was implemented in pull request #62771 and released in Apache Airflow 3.1.8 [3][4]. Users are strongly recommended to upgrade to 3.1.8 or later. The patch scopes the session cookie to the configured base_url, preventing it from being sent to unrelated paths on the same domain [4].