CVE-2026-28779
Published: 17 March 2026
Summary
CVE-2026-28779 is a high-severity Exposure of Resource to Wrong Sphere (CWE-668) vulnerability in Apache Airflow. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Web Session Cookie (T1539); ranked at the 8.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identification, prioritization, and remediation of flaws such as the improper session cookie path scoping in Apache Airflow via timely patching to version 3.1.8 or later.
Ensures secure baseline configuration settings for webserver and API base_url to properly scope session cookie paths, preventing domain-wide exposure post-remediation.
Protects the authenticity of web sessions by implementing mechanisms that safeguard session tokens against capture and hijacking by co-hosted malicious applications on the same domain.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The cookie path misconfiguration (path=/) directly enables theft of Airflow web session tokens by a same-domain malicious application via request headers, matching T1539 Steal Web Session Cookie for session hijacking.
NVD Description
Apache Airflow versions 3.1.0 through 3.1.7 session token (_token) in cookies is set to path=/ regardless of the configured [webserver] base_url or [api] base_url. This allows any application co-hosted under the same domain to capture valid Airflow session tokens from…
more
HTTP request headers, allowing full session takeover without attacking Airflow itself. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.
Deeper analysisAI
CVE-2026-28779 is a vulnerability in Apache Airflow versions 3.1.0 through 3.1.7, where the session token (_token) stored in cookies is incorrectly set to path=/, ignoring the configured [webserver] base_url or [api] base_url settings. This flaw exposes the token to unintended access across the entire domain.
An attacker can exploit this by co-hosting a malicious application under the same domain as the Airflow instance. The malicious app can capture valid Airflow session tokens from HTTP request headers, enabling full session takeover and unauthorized access to the Airflow web interface or API without directly targeting Airflow itself. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-668 (Exposure of Resource to Wrong Sphere).
Apache Airflow advisories recommend upgrading to version 3.1.8 or later to resolve the issue by properly scoping the cookie path to the configured base_url. Key references include the fixing pull request at https://github.com/apache/airflow/pull/62771, the Apache mailing list announcement at https://lists.apache.org/thread/r4n5znb8mcq14wo9v8ndml36nxlksdqb, and the OSS-Security disclosure at http://www.openwall.com/lists/oss-security/2026/03/17/3.
Details
- CWE(s)