CVE-2026-40948 Overview
A session fixation vulnerability exists in the Keycloak authentication manager within apache-airflow-providers-keycloak. The authentication implementation fails to generate or validate the OAuth 2.0 state parameter during the login and login-callback flow, and does not implement Proof Key for Code Exchange (PKCE). This allows an attacker with a Keycloak account in the same realm to deliver a crafted callback URL to a victim's browser, causing the victim to be logged into the attacker's Airflow session. Any credentials the victim subsequently stores in Airflow Connections become harvestable by the attacker.
Critical Impact
Attackers can perform login-CSRF attacks to capture sensitive credentials stored by victims in Airflow Connections, potentially compromising downstream systems and data pipelines.
Affected Products
- apache-airflow-providers-keycloak versions prior to 0.7.0
- Apache Airflow installations using Keycloak authentication
- Environments with shared Keycloak realms
Discovery Timeline
- April 18, 2026 - CVE-2026-40948 published to NVD
- April 20, 2026 - Last updated in NVD database
Technical Details for CVE-2026-40948
Vulnerability Analysis
This vulnerability is classified under CWE-352 (Cross-Site Request Forgery). The root issue stems from improper implementation of the OAuth 2.0 authorization flow in the Keycloak authentication manager. OAuth 2.0 relies on the state parameter as a CSRF token to bind the authorization request to the user's browser session and prevent session fixation attacks. Without this protection, an attacker can initiate an OAuth flow, capture the authorization callback URL, and deliver it to a victim.
The attack requires the attacker to have a valid account in the same Keycloak realm as the victim. Once the victim clicks the malicious callback URL, they are authenticated into the attacker's Airflow session rather than their own. This is particularly dangerous in workflow orchestration platforms like Apache Airflow, where users commonly store database credentials, API keys, and service account tokens in Airflow Connections.
Root Cause
The Keycloak authentication manager implementation omits two critical OAuth 2.0 security mechanisms:
Missing state parameter validation: The OAuth 2.0 specification recommends using the state parameter as an anti-CSRF token. The vulnerable implementation neither generates a unique state value during authorization requests nor validates it upon callback, allowing attackers to inject their own authorization responses.
Absence of PKCE (Proof Key for Code Exchange): PKCE provides an additional layer of protection against authorization code interception attacks by requiring the client to prove possession of a code verifier. Without PKCE, the authorization code becomes susceptible to interception and replay.
Attack Vector
The attack leverages network-based access and requires user interaction. An attacker within the same Keycloak realm initiates an OAuth login flow to obtain a valid authorization callback URL containing their authorization code. The attacker then delivers this crafted URL to a victim through social engineering methods such as phishing emails or malicious links. When the victim clicks the link, their browser completes the OAuth flow using the attacker's authorization code, logging the victim into the attacker's Airflow session.
From this point, the attacker can monitor the session for any credentials the victim adds to Airflow Connections, effectively harvesting sensitive authentication data for databases, cloud services, and other integrated systems.
Detection Methods for CVE-2026-40948
Indicators of Compromise
- Unusual login patterns where a single user session receives credentials from multiple geographic locations
- Airflow Connection modifications occurring from unexpected IP addresses or user agents
- OAuth callback requests missing the state parameter in application logs
- Multiple users accessing the same Airflow session concurrently
Detection Strategies
- Monitor OAuth authentication logs for login requests lacking state parameter validation
- Implement anomaly detection for Airflow Connection modifications to identify credential harvesting patterns
- Audit Keycloak authentication events for suspicious callback URL patterns
- Review application logs for login-callback sequences from different source IPs within short timeframes
Monitoring Recommendations
- Enable detailed logging for OAuth authentication flows in both Airflow and Keycloak
- Configure alerts for multiple credential additions within a single session from varying network sources
- Implement session binding verification to detect session fixation attempts
- Deploy network traffic analysis to identify crafted callback URL delivery attempts
How to Mitigate CVE-2026-40948
Immediate Actions Required
- Upgrade apache-airflow-providers-keycloak to version 0.7.0 or later immediately
- Review Airflow Connection credentials that may have been compromised and rotate affected secrets
- Audit recent authentication logs for signs of session fixation attacks
- Notify users to be cautious of unexpected OAuth login links
Patch Information
The vulnerability has been addressed in apache-airflow-providers-keycloak version 0.7.0. The fix implements proper state parameter generation and validation in the OAuth 2.0 flow, along with PKCE support. Technical details of the patch are available in the GitHub Pull Request. Additional information can be found in the Apache Mailing List Thread and the Openwall OSS-Security Update.
Workarounds
- Consider temporarily disabling Keycloak authentication and using an alternative authentication mechanism until the upgrade can be completed
- Implement network-level controls to restrict access to Airflow OAuth callback endpoints to trusted sources
- Deploy Web Application Firewall (WAF) rules to validate OAuth state parameters at the network perimeter
- Educate users about the risks of clicking unexpected authentication links and implement security awareness training
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
