PyPI package
apache-airflow-providers-keycloak
pkg:pypi/apache-airflow-providers-keycloak
Vulnerabilities (1)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-40948 | Med | 5.4 | >= 0.0.1, < 0.7.0 | 0.7.0 | Apr 18, 2026 | The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state` parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback |
- affected >= 0.0.1, < 0.7.0fixed 0.7.0
The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state` parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback