CVE-2026-28779 is a security vulnerability identified in Apache Airflow, an open-source platform widely used for programmatically authoring, scheduling, and monitoring workflows. The flaw exists in versions 3.1.0 through 3.1.7, where the session token cookie named '_token' is incorrectly set with the path attribute as '/' regardless of the configured [webserver] base_url or [api] base_url. This cookie path setting causes the session token to be accessible to any application hosted under the same domain, even if those applications are unrelated to Airflow. Consequently, if an attacker gains control over or can inject code into any co-hosted application on the same domain, they can capture the valid Airflow session tokens from HTTP request headers. This enables full session hijacking, allowing the attacker to impersonate legitimate Airflow users and gain unauthorized access to the Airflow environment without needing to exploit Airflow directly. The vulnerability is classified under CWE-668, which relates to exposure of resources to an incorrect sphere, indicating improper access control or boundary enforcement. The issue does not require user interaction or authentication to exploit once the attacker controls a co-hosted application. Apache Airflow 3.1.8 and later versions have fixed this issue by correctly scoping the session cookie path according to the configured base URLs, preventing cross-application token exposure. No public exploits or active attacks have been reported at the time of disclosure, but the risk remains significant due to the potential for session takeover.

The impact of CVE-2026-28779 is substantial for organizations using Apache Airflow versions 3.1.0 through 3.1.7, especially those hosting multiple applications under the same domain. Attackers who control or compromise any co-hosted application can steal session tokens and fully hijack Airflow user sessions, leading to unauthorized access to sensitive workflow management, data pipelines, and potentially critical operational processes. This can result in data breaches, unauthorized modifications or deletions of workflows, disruption of automated processes, and exposure of sensitive business logic or data. Since Airflow is often used in data engineering, analytics, and operational automation, such unauthorized access could have cascading effects on data integrity and availability. The vulnerability does not require direct exploitation of Airflow itself, lowering the attack complexity and increasing the risk in multi-tenant or shared hosting environments. Organizations with strict domain sharing policies or those running Airflow alongside other web applications on the same domain are particularly at risk. The absence of known exploits in the wild currently reduces immediate threat but does not diminish the urgency of remediation given the ease of exploitation once a co-hosted application is compromised.

To mitigate CVE-2026-28779, organizations should upgrade Apache Airflow to version 3.1.8 or later, where the session cookie path is correctly scoped to the configured base URLs, preventing token exposure across co-hosted applications. Until upgrading is possible, administrators should consider isolating Airflow deployments on dedicated domains or subdomains to prevent cookie sharing with other applications. Implementing strict Content Security Policies (CSP) and Subresource Integrity (SRI) can reduce the risk of cross-application script injection that might lead to token theft. Additionally, reviewing and minimizing the number of applications hosted under the same domain can reduce the attack surface. Monitoring and logging unusual session activities or token usage can help detect potential hijacking attempts early. Employing network segmentation and strict access controls around Airflow hosting environments further limits exposure. Finally, educating developers and administrators about secure cookie attributes (e.g., HttpOnly, Secure, and proper Path scoping) can prevent similar issues in future deployments.