High severity7.2NVD Advisory· Published Jun 1, 2026· Updated Jun 2, 2026
CVE-2026-40961
CVE-2026-40961
Description
A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that bypassed the is_safe_url check, enabling redirection from a trusted Airflow domain to an attacker-controlled origin. Users are advised to upgrade to apache-airflow 3.2.2 or later. As a defense-in-depth mitigation, deployment operators can place Airflow behind a reverse proxy that strips off-domain next= query parameters before they reach the login endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3Patches
Vulnerability mechanics
References
3- github.com/apache/airflow/pull/65557nvdIssue TrackingPatch
- www.openwall.com/lists/oss-security/2026/05/31/2nvdMailing ListThird Party Advisory
- lists.apache.org/thread/qmt8ksh7gty6b8hr9w294t94j36jdv1qnvdMailing ListVendor Advisory
News mentions
1- Apache Airflow: 17 Vulnerabilities Disclosed on June 1, 2026Vypr Intelligence · Jun 1, 2026