CVE-2026-40961

EUVD-2026-33597

01.06.2026, 09:16

A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that bypassed the `is_safe_url` check, enabling redirection from a trusted Airflow domain to an attacker-controlled origin. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deployment operators can place Airflow behind a reverse proxy that strips off-domain `next=` query parameters before they reach the login endpoint.

Open Redirect

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
apache	CNA	UNKNOWN				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
apache	airflow	3.0.0 ≤ 𝑥 < 3.2.2	CNA

Common Weakness Enumeration

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References

https://github.com/apache/airflow/pull/65557

https://lists.apache.org/thread/qmt8ksh7gty6b8hr9w294t94j36jdv1q

http://www.openwall.com/lists/oss-security/2026/05/31/2