PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40948 Apache CVE debrief

CVE-2026-40948 describes an authentication-flow weakness in apache-airflow-providers-keycloak where the Keycloak login / callback handling did not generate or validate the OAuth 2.0 state parameter and did not use PKCE. In the documented scenario, an attacker with a Keycloak account in the same realm could steer a victim’s browser into a crafted callback URL and cause the victim to end up logged into the attacker’s Airflow session. The practical concern is session fixation / login-CSRF followed by possible exposure of any secrets the victim later stores in Airflow Connections. Apache advises upgrading to 0.7.0 or later.

Vendor
Apache
Product
CVE-2026-40948
CVSS
MEDIUM 5.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-18
Original CVE updated
2026-05-11
Advisory published
2026-04-18
Advisory updated
2026-05-11

Who should care

Operators of Apache Airflow deployments that use the apache-airflow-providers-keycloak authentication manager, especially where users can store credentials in Airflow Connections and where Keycloak realms include multiple users with browser access.

Technical summary

The issue is an OAuth/OIDC login-flow integrity failure. Per the advisory, the Keycloak auth manager did not create or verify the OAuth 2.0 state parameter during login and callback handling, and it did not use PKCE. NVD maps the weakness to CWE-352 and lists the affected version range as apache-airflow-providers-keycloak from 0.0.1 up to, but not including, 0.7.0. The CVSS vector provided by NVD is AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N, reflecting a network-reachable issue that requires user interaction and can affect confidentiality and integrity.

Defensive priority

Medium, with expedited remediation for any environment using Keycloak-backed Airflow logins and storing sensitive Connection secrets.

Recommended defensive actions

  • Upgrade apache-airflow-providers-keycloak to 0.7.0 or later.
  • Confirm all Airflow instances using the Keycloak provider are no longer on affected versions (<0.7.0).
  • If users may have stored secrets during the vulnerable period, review and rotate those Airflow Connection credentials as appropriate.
  • Invalidate or re-establish active sessions after remediation if your operational procedures support it.
  • Monitor authentication logs for unexpected login-callback behavior or anomalies around Keycloak-based sign-in.

Evidence notes

This debrief is based on the supplied CVE record and NVD metadata. The CVE description states that state was neither generated nor validated and PKCE was not used, and that an attacker with a Keycloak account in the same realm could induce victim login to the attacker’s Airflow session. NVD marks the vulnerability as Analyzed, assigns CWE-352, and lists affected versions from 0.0.1 through before 0.7.0. Official and vendor-linked references include the Apache patch PR, Apache mailing-list advisory, and an oss-security posting. Published date used here is the CVE published timestamp of 2026-04-18; modified timestamp is 2026-05-11.

Official resources

Publicly disclosed on 2026-04-18, with NVD marking the record as Analyzed and last modified on 2026-05-11. The supplied references point to Apache’s patch and advisory materials and a contemporaneous oss-security posting.