Vulnerabilities ›

CVE-2026-41017

Medium

CWE-614 — Weakness Type

                    Published: Jun 1, 2026                      ·  Modified: Jun 4, 2026                      ·  Source: NVD                

CVSS v3

5.9

🔗 NVD Official

📄 Description (English)

Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy (e.g. nginx / Envoy / a managed load balancer that terminates TLS and forwards plaintext to the API server, the default cloud-native topology) would have the user's session JWT replayed over any cleartext HTTP request to the same host. A network-positioned attacker (Wi-Fi MITM, hostile LAN, captive-portal proxy) could induce a logged-in user's browser to issue an HTTP request to the deployment's hostname and capture the JWT cookie out of that request, then replay it against the authenticated API. Affects deployments where the Airflow API server is reached through a TLS-terminating proxy and the cookie's secure-by-default protection is load-bearing for session integrity. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.

🤖 AI Executive Summary

Apache Airflow's JWTRefreshMiddleware fails to set the Secure flag on JWT authentication cookies, allowing session token interception in HTTPS-terminating reverse proxy deployments. Network-positioned attackers can capture and replay JWT cookies via cleartext HTTP requests to compromise user sessions.

📄 Description (Arabic)

يفشل Apache Airflow في تعيين علم Secure على ملفات تعريف JWT، مما يسمح باعتراض الرموز في بيئات الوكيل العكسي الذي ينهي HTTPS. يمكن للمهاجمين في الشبكة التقاط وإعادة تشغيل ملفات تعريف JWT عبر طلبات HTTP غير المشفرة للوصول إلى واجهات برمجة التطبيقات المصرح بها.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: Jun 1, 2026 20:57

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

energy government banking telecom

🎯 MITRE ATT&CK Techniques

T1539 T1550 T1187

⚖️ Saudi Risk Score (AI)

6.0

/ 10.0

🔧 Remediation Steps (English)

Upgrade Apache Airflow to the patched version that sets the Secure flag on JWT authentication cookies. Ensure all Airflow API servers are deployed behind HTTPS-terminating reverse proxies with proper TLS configuration. Implement network segmentation to restrict access to Airflow API endpoints. Monitor for suspicious JWT token usage patterns.

🔧 خطوات المعالجة (العربية)

قم بترقية Apache Airflow إلى الإصدار المصحح الذي يعين علم Secure على ملفات تعريف JWT. تأكد من نشر جميع خوادم Airflow API خلف وكلاء عكسيين ينهيان HTTPS مع تكوين TLS مناسب. تنفيذ تقسيم الشبكة لتقييد الوصول إلى نقاط نهاية Airflow API. مراقبة أنماط استخدام رموز JWT المريبة.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1.2 5.2.1

🔵 SAMA CSF

AC-3 SC-7

🟡 ISO 27001:2022

A.6.2.1 A.13.1.1

🔗 References & Sources 3

🔗

https://github.com/apache/airflow/pull/65348

security@apache.org

Issue Tracking Patch

🔗

https://lists.apache.org/thread/9jx0sk49c1250zflx0q3clc717qgjdch

security@apache.org

Mailing List Vendor Advisory

🔗

http://www.openwall.com/lists/oss-security/2026/05/31/6

af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory

📦 Affected Products / CPE 1 entries

apache:airflow

📊 CVSS Score

5.9

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack VectorN — None / Network

Attack ComplexityH — High

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityN — None / Network

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score5.9

CWECWE-614

EPSS0.02%

Exploit No

Patch ✓ Yes

Published 2026-06-01

Source Feed nvd

🇸🇦 Saudi Risk Score

6.0

/ 10.0 — Saudi Risk

Priority: MEDIUM

🏷️ Tags

patch-available CWE-614

🏢 Vendor Advisories

🔗 https://lists.apache.org/thread/9jx0sk49c1250zflx0q3...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-41017

Introduce Yourself

Sign In Required