Apache Airflow AWS Auth Manager - Host Header Injection Leading to SAML Authentication Bypass
Summary
| CVE | CVE-2026-25604 |
|---|---|
| State | PUBLISHED |
| Assigner | apache |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-09 11:16:06 UTC |
| Updated | 2026-07-02 16:35:27 UTC |
| Description | In AWS Auth manager, the origin of the SAML authentication has been used as provided by the client and not verified against the actual instance URL. This allowed to gain access to different instances with potentially different access controls by reusing SAML response from other instances. You should upgrade to 9.22.0 version of provider if you use AWS Auth Manager. |
Risk And Classification
Primary CVSS: v3.1 5.4 MEDIUM from ADP
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Problem Types: CWE-346 | CWE-346 CWE-346: Origin Validation Error
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 5.4 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 5.4 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
LowIntegrity
LowAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Apache-airflow-providers-amazon | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Apache Software Foundation | Apache Airflow Providers Amazon | affected 8.0.0 9.22.0 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/apache/airflow/pull/61368 | [email protected] | github.com | Issue Tracking, Patch |
| www.openwall.com/lists/oss-security/2026/03/09/6 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | Mailing List, Third Party Advisory |
| lists.apache.org/thread/spwwrsmwxod7fpttcd7n7zs46j839l77 | [email protected] | lists.apache.org | Mailing List |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Sungwuk Jung (en)
There are currently no legacy QID mappings associated with this CVE.