Skip to content

Commit a22a9f3

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-jpf5-526x-c5hw GHSA-5w6h-pjw6-wvc6
1 parent 2b381a3 commit a22a9f3

File tree

2 files changed

+44
-1
lines changed

2 files changed

+44
-1
lines changed

advisories/unreviewed/2025/05/GHSA-jpf5-526x-c5hw/GHSA-jpf5-526x-c5hw.json

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-jpf5-526x-c5hw",
4-
"modified": "2025-11-03T21:33:59Z",
4+
"modified": "2026-04-18T15:34:15Z",
55
"published": "2025-05-30T15:30:30Z",
66
"aliases": [
77
"CVE-2025-40909"
@@ -39,6 +39,10 @@
3939
"type": "WEB",
4040
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098226"
4141
},
42+
{
43+
"type": "WEB",
44+
"url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00018.html"
45+
},
4246
{
4347
"type": "WEB",
4448
"url": "https://perldoc.perl.org/5.14.0/perl5136delta#Directory-handles-not-copied-to-threads"

advisories/unreviewed/2026/04/GHSA-5w6h-pjw6-wvc6/GHSA-5w6h-pjw6-wvc6.json

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-5w6h-pjw6-wvc6",
4+
"modified": "2026-04-18T15:34:15Z",
5+
"published": "2026-04-18T15:34:15Z",
6+
"aliases": [
7+
"CVE-2026-40948"
8+
],
9+
"details": "The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state` parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's browser and cause the victim to be logged into the attacker's Airflow session (login-CSRF / session fixation), where any credentials the victim subsequently stored in Airflow Connections would be harvestable by the attacker. Users are advised to upgrade `apache-airflow-providers-keycloak` to 0.7.0 or later.",
10+
"severity": [],
11+
"affected": [],
12+
"references": [
13+
{
14+
"type": "ADVISORY",
15+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40948"
16+
},
17+
{
18+
"type": "WEB",
19+
"url": "https://github.com/apache/airflow/pull/64114"
20+
},
21+
{
22+
"type": "WEB",
23+
"url": "https://lists.apache.org/thread/kc0odpr70hbqhdb9ksnz42fkqz2xld9q"
24+
},
25+
{
26+
"type": "WEB",
27+
"url": "http://www.openwall.com/lists/oss-security/2026/04/17/14"
28+
}
29+
],
30+
"database_specific": {
31+
"cwe_ids": [
32+
"CWE-352"
33+
],
34+
"severity": null,
35+
"github_reviewed": false,
36+
"github_reviewed_at": null,
37+
"nvd_published_at": "2026-04-18T14:16:10Z"
38+
}
39+
}

0 commit comments

Comments
 (0)