Vulnerability-Lookup

CNVD-2026-15156

Vulnerability from cnvd - Published: 2026-03-27

Title

Apache Airflow信息泄露漏洞（CNVD-2026-15156）

Description

Apache Airflow是美国阿帕奇（Apache）基金会的一套具有创建、管理和监控工作流程功能的开源平台。该平台具有可扩展和动态监控等特点。 Apache Airflow存在信息泄露漏洞，该漏洞源于会话令牌路径设置不当，攻击者可利用该漏洞导致同域下任何应用程序捕获有效会话令牌，实现完全会话接管。

Severity

高

Patch Name

Apache Airflow信息泄露漏洞（CNVD-2026-15156）的补丁

Patch Description

Apache Airflow是美国阿帕奇（Apache）基金会的一套具有创建、管理和监控工作流程功能的开源平台。该平台具有可扩展和动态监控等特点。 Apache Airflow存在信息泄露漏洞，该漏洞源于会话令牌路径设置不当，攻击者可利用该漏洞导致同域下任何应用程序捕获有效会话令牌，实现完全会话接管。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://airflow.apache.org/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2026-28779

Impacted products

Name
Apache Airflow >=3.0.0，<3.1.8

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2026-28779",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2026-28779"
    }
  },
  "description": "Apache Airflow\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u5177\u6709\u521b\u5efa\u3001\u7ba1\u7406\u548c\u76d1\u63a7\u5de5\u4f5c\u6d41\u7a0b\u529f\u80fd\u7684\u5f00\u6e90\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u5177\u6709\u53ef\u6269\u5c55\u548c\u52a8\u6001\u76d1\u63a7\u7b49\u7279\u70b9\u3002 \n\nApache Airflow\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4f1a\u8bdd\u4ee4\u724c\u8def\u5f84\u8bbe\u7f6e\u4e0d\u5f53\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u540c\u57df\u4e0b\u4efb\u4f55\u5e94\u7528\u7a0b\u5e8f\u6355\u83b7\u6709\u6548\u4f1a\u8bdd\u4ee4\u724c\uff0c\u5b9e\u73b0\u5b8c\u5168\u4f1a\u8bdd\u63a5\u7ba1\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://airflow.apache.org/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2026-15156",
  "openTime": "2026-03-27",
  "patchDescription": "Apache Airflow\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u5177\u6709\u521b\u5efa\u3001\u7ba1\u7406\u548c\u76d1\u63a7\u5de5\u4f5c\u6d41\u7a0b\u529f\u80fd\u7684\u5f00\u6e90\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u5177\u6709\u53ef\u6269\u5c55\u548c\u52a8\u6001\u76d1\u63a7\u7b49\u7279\u70b9\u3002 \r\n\r\nApache Airflow\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4f1a\u8bdd\u4ee4\u724c\u8def\u5f84\u8bbe\u7f6e\u4e0d\u5f53\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u540c\u57df\u4e0b\u4efb\u4f55\u5e94\u7528\u7a0b\u5e8f\u6355\u83b7\u6709\u6548\u4f1a\u8bdd\u4ee4\u724c\uff0c\u5b9e\u73b0\u5b8c\u5168\u4f1a\u8bdd\u63a5\u7ba1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Airflow\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2026-15156\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Airflow \u003e=3.0.0\uff0c\u003c3.1.8"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2026-28779",
  "serverity": "\u9ad8",
  "submitTime": "2026-03-19",
  "title": "Apache Airflow\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2026-15156\uff09"
}

CVE-2026-28779 (GCVE-0-2026-28779)

Vulnerability from cvelistv5 – Published: 2026-03-17 10:15 – Updated: 2026-03-17 13:45

Title

Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications

Summary

Apache Airflow versions 3.1.0 through 3.1.7 session token (_token) in cookies is set to path=/ regardless of the configured [webserver] base_url or [api] base_url. This allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request headers, allowing full session takeover without attacking Airflow itself. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

Severity ?

No CVSS data available.

CWE

CWE-668 - Exposure of Resource to Wrong Sphere

Assigner

apache

References

URL

Tags

	https://github.com/apache/airflow/pull/62771	patch
	https://lists.apache.org/thread/r4n5znb8mcq14wo9v…	vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Airflow	Affected: 3.0.0 , < 3.1.8 (semver)

Credits

Daniel Wolf Daniel Wolf

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-03-17T13:32:03.724Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/17/3"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-28779",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-17T13:44:27.820701Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-17T13:45:02.518Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.python.org",
          "defaultStatus": "unaffected",
          "packageName": "apache-airflow",
          "product": "Apache Airflow",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "3.1.8",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Daniel Wolf"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Daniel Wolf"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Apache Airflow versions 3.1.0 through 3.1.7\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003esession token (_token) in cookies is set to path=/ regardless of the configured [webserver] base_url or [api] base_url.\u003cbr\u003e\u003cp\u003eThis allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request headers, allowing full session takeover without attacking Airflow itself.\u003c/p\u003e\u003c/span\u003eUsers are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.\u003cbr\u003e"
            }
          ],
          "value": "Apache Airflow versions 3.1.0 through 3.1.7\u00a0session token (_token) in cookies is set to path=/ regardless of the configured [webserver] base_url or [api] base_url.\nThis allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request headers, allowing full session takeover without attacking Airflow itself.\n\nUsers are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "Medium"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-668",
              "description": "CWE-668: Exposure of Resource to Wrong Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-17T10:43:19.750Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/apache/airflow/pull/62771"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/r4n5znb8mcq14wo9v8ndml36nxlksdqb"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-28779",
    "datePublished": "2026-03-17T10:15:59.132Z",
    "dateReserved": "2026-03-03T10:12:24.113Z",
    "dateUpdated": "2026-03-17T13:45:02.518Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2026-15156

CVE-2026-28779 (GCVE-0-2026-28779)

Tags

Sightings

Nomenclature