CVE-2026-40961 Overview
CVE-2026-40961 is an open redirect vulnerability in Apache Airflow's login flow. The login redirect route fails to properly validate the next= query parameter through the is_safe_url check. Authenticated users can craft URLs that bypass this check and redirect victims from the trusted Airflow domain to an attacker-controlled origin. The flaw maps to CWE-601: URL Redirection to Untrusted Site and enables phishing and credential theft campaigns that leverage the legitimacy of an organization's Airflow domain. Apache fixed the issue in apache-airflow 3.2.2.
Critical Impact
Attackers can abuse the trusted Airflow domain to redirect users to malicious sites, facilitating phishing, session theft, and downstream compromise of authenticated workflows.
Affected Products
- Apache Airflow versions prior to 3.2.2
- Deployments exposing the login endpoint to authenticated users
- Airflow instances without an upstream reverse proxy sanitizing redirect parameters
Discovery Timeline
- 2026-06-01 - CVE-2026-40961 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-40961
Vulnerability Analysis
Apache Airflow's login route accepts a next= query parameter to send users to their originally requested page after authentication. The route invokes an is_safe_url helper that should reject off-domain destinations. A parsing weakness in this helper allows specially crafted URL strings to evade the check while still being accepted by the browser as an absolute URL pointing to an external host. After login, the application issues an HTTP redirect to the attacker-supplied origin.
The vulnerability is network-reachable and requires no privileges, since the login endpoint is reachable before successful authentication. The downstream impact is limited to integrity and confidentiality at low levels — the application itself is not directly compromised, but the trusted domain becomes a phishing vehicle.
Root Cause
The root cause is incomplete URL validation in the is_safe_url function used by the login redirect handler. The parser does not correctly normalize edge cases such as backslash-prefixed paths, protocol-relative URLs, or userinfo-embedded hosts. These inputs serialize to absolute external URLs at the browser layer while appearing to pass the internal same-origin check.
Attack Vector
An attacker constructs a URL of the form https://airflow.victim.tld/login?next=<crafted-url> and delivers it through email, chat, or a malicious site. The victim, who trusts the Airflow domain, clicks the link and authenticates. Airflow then redirects the browser to the attacker-controlled host, where credential harvesting, OAuth token theft, or malware delivery can occur. See the Apache Airflow pull request 65557 and the Apache mailing list disclosure for technical details on the fix.
Detection Methods for CVE-2026-40961
Indicators of Compromise
- Login requests to /login containing next= parameters whose decoded value resolves to an external host
- HTTP 302 responses from Airflow with Location headers pointing to non-Airflow domains
- Outbound user traffic from authenticated Airflow sessions to recently registered or low-reputation domains
- Web server access logs showing unusually long, percent-encoded, or backslash-laden next= values
Detection Strategies
- Parse Airflow web server logs and alert on next= query parameters whose host component differs from the canonical Airflow FQDN
- Correlate login redirect responses with subsequent DNS lookups and TLS SNI values to identify off-domain redirects
- Hunt for phishing kits referencing the Airflow domain in HTTP Referer headers in proxy or SWG telemetry
Monitoring Recommendations
- Enable verbose access logging on the Airflow web server and forward to a centralized log platform
- Monitor Airflow audit logs for authentication events immediately followed by external navigation
- Track newly observed external domains appearing in the Location response header of /login responses
How to Mitigate CVE-2026-40961
Immediate Actions Required
- Upgrade apache-airflow to version 3.2.2 or later on all environments
- Inventory all Airflow deployments including managed services and container images to confirm patch coverage
- Review recent web server logs for suspicious next= parameter values and notify potentially phished users
- Rotate any credentials or API tokens entered after clicking suspicious Airflow login links
Patch Information
Apache released the fix in apache-airflow 3.2.2. The patch hardens the is_safe_url validation in the login redirect handler. Refer to Apache Airflow PR #65557 and the Apache security advisory for change details, and the Openwall OSS-Security post for the public disclosure.
Workarounds
- Place Airflow behind a reverse proxy (NGINX, HAProxy, Envoy) that strips or rewrites off-domain next= query parameters before requests reach the login endpoint
- Enforce a strict allowlist of redirect targets at the proxy or WAF layer, rejecting any next= value whose host does not match the Airflow FQDN
- Add a Content Security Policy and clear Referrer-Policy to limit phishing leverage if redirection still occurs
# NGINX example: strip next= parameter on /login requests
location = /login {
if ($arg_next ~* "^(https?:|//|\\\\)") {
return 302 /login;
}
proxy_pass http://airflow_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
