Vulnerability Overview CVE ID: CVE-2026-40948 Vulnerability Name: Apache Airflow Keycloak Provider: OAuth Login CSRF — Missing State Parameter in Keycloak Auth Manager Severity: Low Description: - In , the Keycloak authentication manager does not generate or validate the OAuth 2.0 'state' parameter during the login/login callback flow, and does not use PKCE. - An attacker can send a specially crafted callback URL to the victim’s browser, causing the victim to be logged into the attacker’s Airflow session (login CSRF / session fixation). - The attacker can steal any credentials subsequently stored by the victim in Airflow connections. Impact Scope Affected Versions: - Apache Airflow Keycloak Provider ( ) versions 0.0.1 to 0.7.0 Remediation Recommendation: Users should upgrade to version 0.7.0 or later. References GitHub Pull Request Airflow Official Website CVE Record Contributors Discoverer: Haruki Oyama (Waseda University) Fix Developer: Anika Basu Additional Information Mailing Lists: - Unsubscribe: users-unsubscribe@airflow.apache.org - Help: users-help@airflow.apache.org Footer Information Powered by: Apache Pony Mail (Fossil v1.0.1 - ?Mail?d?) Privacy Policy: privacy@apache.org Issue Contact: users@infra.apache.org