Home

Description

A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that bypassed the `is_safe_url` check, enabling redirection from a trusted Airflow domain to an attacker-controlled origin. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deployment operators can place Airflow behind a reverse proxy that strips off-domain `next=` query parameters before they reach the login endpoint.

PUBLISHED Reserved 2026-04-16 | Published 2026-06-01 | Updated 2026-06-02 | Assigner apache

Problem types

CWE-601: URL Redirection to Untrusted Site (Open Redirect)

Product status

Default status
unaffected

3.0.0 (semver) before 3.2.2
affected

Credits

Fushuling@secsys finder

RacerZ@secsys finder

Aritra Basu remediation developer

References

www.openwall.com/lists/oss-security/2026/05/31/2

github.com/apache/airflow/pull/65557 patch

lists.apache.org/thread/qmt8ksh7gty6b8hr9w294t94j36jdv1q vendor-advisory

cve.org (CVE-2026-40961)

nvd.nist.gov (CVE-2026-40961)

Download JSON