CVE-2026-28779: Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications

March 17, 2026 (updated March 18, 2026)

Apache Airflow versions 3.1.0 through 3.1.7 session token (_token) in cookies is set to path=/ regardless of the configured [webserver] base_url or [api] base_url. This allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request headers, allowing full session takeover without attacking Airflow itself.

Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

References

github.com/advisories/GHSA-4fhm-p86v-hwpx
github.com/apache/airflow
github.com/apache/airflow/pull/62771
lists.apache.org/thread/r4n5znb8mcq14wo9v8ndml36nxlksdqb
nvd.nist.gov/vuln/detail/CVE-2026-28779

Code Behaviors & Features

Detect and mitigate CVE-2026-28779 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →