CVE-2026-40948
Description
The Keycloak authentication manager in apache-airflow-providers-keycloak did not generate or validate the OAuth 2.0 state parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's browser and cause the victim to be logged into the attacker's Airflow session (login-CSRF / session fixation), where any credentials the victim subsequently stored in Airflow Connections would be harvestable by the attacker. Users are advised to upgrade apache-airflow-providers-keycloak to 0.7.0 or later.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-airflow-providers-keycloakPyPI | >= 0.0.1, < 0.7.0 | 0.7.0 |
Affected products
2- cpe:2.3:a:apache:apache-airflow-providers-keycloak:*:*:*:*:*:*:*:*Range: >=0.0.1,<0.7.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/apache/airflow/pull/64114nvdIssue TrackingPatchWEB
- www.openwall.com/lists/oss-security/2026/04/17/14nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-5w6h-pjw6-wvc6ghsaADVISORY
- lists.apache.org/thread/kc0odpr70hbqhdb9ksnz42fkqz2xld9qnvdMailing ListVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-40948ghsaADVISORY
News mentions
0No linked articles in our index yet.