CVE-2026-41017 Apache Software Foundation CVE debrief

Who should care

Organizations running Apache Airflow behind TLS-terminating load balancers or reverse proxies, particularly in cloud-native deployments where the API server receives plaintext HTTP from the proxy tier. Security teams responsible for session management and infrastructure hardening in Airflow environments.

Technical summary

The JWTRefreshMiddleware in Apache Airflow sets authentication cookies without the Secure attribute. In deployments where a reverse proxy terminates TLS and communicates with the Airflow API server via HTTP, browsers will transmit these cookies over cleartext HTTP connections to the same host. This enables network-based attackers to capture and replay session JWTs for unauthorized API access.

Defensive priority

high

Recommended defensive actions

• Upgrade to apache-airflow 3.2.2 or later to obtain the Secure flag fix for JWT authentication cookies
• Verify that JWTRefreshMiddleware cookies include the Secure attribute after upgrade by inspecting Set-Cookie headers in API responses
• For deployments behind TLS-terminating reverse proxies, confirm the proxy forwards the original protocol scheme or that Airflow configuration correctly identifies HTTPS termination
• Review load balancer and proxy configurations to ensure X-Forwarded-Proto or equivalent headers are properly passed to the Airflow API server
• Audit existing session JWTs and consider rotating them if compromise is suspected in environments matching the vulnerable topology
• Monitor for unauthorized API access using captured session tokens as an indicator of potential exploitation

Evidence notes

CWE-614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute) identified in NVD source metadata. Fix pull request and Apache security mailing list discussion referenced in official CVE record.

Official resources