Platform
python
Component
apache-airflow-providers-keycloak
Fixed in
0.7.0
0.7.0
CVE-2026-40948 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Keycloak authentication manager within the Apache Airflow Providers Keycloak package. An attacker could exploit this flaw to log a victim into their Airflow session, potentially harvesting stored credentials from Airflow Connections. This vulnerability impacts versions 0.0.1 through 0.7.0 of the package, and a fix is available in version 0.7.0.
CVE-2026-40948 in the Keycloak authentication manager of apache-airflow-providers-keycloak allows an attacker with a Keycloak account in the same realm to perform a session fixation or Cross-Site Request Forgery (CSRF) attack. This is due to the lack of generation or validation of the state parameter in OAuth 2.0 during the login/login-callback flow, and the absence of PKCE (Proof Key for Code Exchange). An attacker could trick a user into visiting a malicious callback URL, allowing them to impersonate the user in Airflow and potentially access credentials stored in Airflow Connections.
An attacker who has access to a Keycloak account within the same realm as the vulnerable Airflow instance can exploit this vulnerability. The attacker could craft a malicious callback URL and send it to a legitimate user. If the user clicks on the URL, the attacker could gain access to the user’s Airflow session. The complexity of exploitation is relatively low, as it does not require advanced technical skills, only a valid Keycloak account and the ability to send a URL to a user. The impact is high, as it allows for identity impersonation and potential access to confidential data.
Exploit Status
EPSS
0.01% (1% percentile)
The primary mitigation for CVE-2026-40948 is to upgrade to version 0.7.0 or higher of apache-airflow-providers-keycloak. This version corrects the vulnerability by implementing the generation and validation of the state parameter and enabling PKCE in the Keycloak authentication flow. It is recommended to apply this update as soon as possible to protect your Airflow instances. Additionally, review Airflow Connections to ensure they do not contain sensitive credentials that could be compromised. Implement robust access controls and monitor login activity for any suspicious activity.
Actualice el paquete `apache-airflow-providers-keycloak` a la versión 0.7.0 o posterior para mitigar la vulnerabilidad CSRF en el flujo de autenticación OAuth. Esta actualización implementa la validación del parámetro `state` y la protección PKCE, previniendo que un atacante pueda secuestrar sesiones de Airflow.
Vulnerability analysis and critical alerts directly to your inbox.
PKCE (Proof Key for Code Exchange) is an extension of OAuth 2.0 that improves security by preventing authorization code interception attacks. It helps protect against the theft of authorization codes.
CSRF (Cross-Site Request Forgery) is a type of attack where an attacker tricks an authenticated user into performing unwanted actions on a web application.
Immediately upgrade to version 0.7.0 or higher of apache-airflow-providers-keycloak.
Monitor Airflow logs for unusual logins or suspicious activity.
Yes, any Airflow instance using the apache-airflow-providers-keycloak provider and running a version prior to 0.7.0 is vulnerable.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.