CVE-2026-40961 Apache Software Foundation CVE debrief

Who should care

Organizations running Apache Airflow versions prior to 3.2.2, particularly those with internet-facing or multi-tenant deployments where authenticated users could leverage redirects for phishing or credential harvesting against other users.

Technical summary

The vulnerability exists in Apache Airflow's login redirect route where the `is_safe_url` check can be bypassed through crafted URLs, allowing authenticated users to redirect from a trusted Airflow instance to arbitrary external domains. This is classified as CWE-601 (URL Redirection to Untrusted Site). The attack requires an authenticated session and leverages the `next=` query parameter commonly used in login flows. The vendor fix in apache-airflow 3.2.2 corrects the URL validation logic. A compensating control involves reverse proxy filtering of the `next=` parameter to prevent off-domain redirection requests from reaching the application.

Defensive priority

medium

Recommended defensive actions

• Upgrade apache-airflow to version 3.2.2 or later to obtain the vendor fix for the login redirect validation flaw.
• As a defense-in-depth measure, deploy Airflow behind a reverse proxy configured to strip or validate off-domain `next=` query parameters before they reach the login endpoint.
• Review access logs for anomalous `next=` parameter values in requests to the login redirect route to identify potential exploitation attempts.
• Verify that any custom authentication integrations or login handlers do not independently reintroduce open redirect behavior through similar `next` parameter handling.

Evidence notes

The NVD record lists CWE-601 (URL Redirection to Untrusted Site, 'Open Redirect') as the primary weakness. The fix is tracked via GitHub pull request 65557, and an Apache security mailing list thread documents coordinated disclosure.

Official resources