The vulnerability in Apache Airflow 3.0.0 involves the JWTRefreshMiddleware setting the JWT authentication cookie without the 'Secure' attribute. This means that in deployments where the Airflow API server is accessed through an HTTPS-terminating reverse proxy that forwards plaintext HTTP requests internally, the JWT cookie can be transmitted over unencrypted HTTP. A network attacker can exploit this by capturing the JWT cookie from an induced HTTP request and replaying it to authenticate against the API server. This affects session integrity and confidentiality in typical cloud-native topologies where TLS termination is offloaded to a proxy. The recommended remediation is upgrading to Apache Airflow 3.2.2 or later, which presumably sets the 'Secure' flag correctly.

The impact is that an attacker with network access can capture and replay a user's JWT authentication cookie if the user’s browser issues an HTTP request to the Airflow API server hostname. This compromises session confidentiality and allows unauthorized API access, potentially leading to unauthorized actions within the Airflow environment. The vulnerability specifically affects deployments using TLS-terminating reverse proxies that forward plaintext HTTP traffic to the Airflow API server, which is a common deployment pattern.

Users should upgrade to Apache Airflow version 3.2.2 or later, where this issue is addressed by setting the 'Secure' attribute on the JWT authentication cookie. No official patch or advisory content is provided in the input data, so patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until upgraded, avoid configurations where the Airflow API server receives plaintext HTTP traffic from TLS-terminating proxies or ensure that all traffic to the API server is encrypted end-to-end.