Follow @Openwall on Twitter for new release announcements and other news
[<prev] [day] [month] [year] [list] 
Message-ID: <e94b50ef-bebb-e821-6721-b812d1afb97e@apache.org>
Date: Mon, 09 Mar 2026 10:36:45 +0000
From: Jarek Potiuk <potiuk@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-25604: Apache Airflow AWS Auth Manager - Host Header
 Injection Leading to SAML Authentication Bypass 

Severity: medium 

Affected versions:

- Apache Airflow Providers Amazon (apache-airflow-providers-amazon) 8.0.0 before 9.22.0

Description:

In AWS Auth manager, the origin of the SAML authentication has been used as provided by the client and not verified against the actual instance URL. 
This allowed to gain access to different instances with potentially different access controls by reusing SAML response from other instances.

You should upgrade to 9.22.0 version of provider if you use AWS Auth Manager.

Credit:

Sungwuk Jung (finder)

References:

https://github.com/apache/airflow/pull/61368
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-25604

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.