CVE-2026-25604

🗓️ 09 Mar 2026 10:39:05Reported by apacheType

cve🔗 web.nvd.nist.gov👁 19 Views🌐 WEB

CVE-2026-25604: SAML bypass via unverified origin in Airflow AWS Auth Manager; cross‑instance access; upgrade to 9.22.0.

Reporter	Title	Published	Views	Family All 21
ATTACKERKB	CVE-2026-25604	9 Mar 202610:39	–	attackerkb
Chainguard	CVE-2026-25604 vulnerabilities	12 Mar 202607:17	–	cgr
Circl	CVE-2026-25604	22 Apr 202615:00	–	circl
CNNVD	Apache Airflow 安全漏洞	9 Mar 202600:00	–	cnnvd
Cvelist	CVE-2026-25604 Apache Airflow AWS Auth Manager - Host Header Injection Leading to SAML Authentication Bypass	9 Mar 202610:39	–	cvelist
EUVD	EUVD-2026-10318	9 Mar 202612:31	–	euvd
EUVD	EUVD-2026-10319	9 Mar 202612:31	–	euvd
GithubExploit	Exploit for Origin Validation Error in Apache Airflow_Providers_Amazon	22 Apr 202601:22	–	githubexploit
Github Security Blog	Apache Airflow AWS Auth Manager has Host Header Injection Leading to SAML Authentication Bypass	9 Mar 202612:31	–	github
NVD	CVE-2026-25604	9 Mar 202611:16	–	nvd

NVD

Vulners

Node

apache airflow_providers_amazonRange8.0.0–9.22.0

[
  {
    "collectionURL": "https://pypi.python.org",
    "defaultStatus": "unaffected",
    "packageName": "apache-airflow-providers-amazon",
    "product": "Apache Airflow Providers Amazon",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "9.22.0",
        "status": "affected",
        "version": "8.0.0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
github	www.github.com/apache/airflow/pull/61368
lists	www.lists.apache.org/thread/spwwrsmwxod7fpttcd7n7zs46j839l77
openwall	www.openwall.com/lists/oss-security/2026/03/09/6

Parameter	Position	Path	Description	CWE
Host	header	/login	Host header injection changes the ACS URL used in the SAML authentication flow, allowing an attacker-controlled ACS endpoint and potential token capture/replay.	CWE-346

17 Jun 2026 10:24Current

5.7Medium risk

Vulners AI Score5.7

CVSS 3.15.4

EPSS0.00359

SSVC

CWE-346