VDB
CVE-2026-25604
CVE-2026-25604
PUBLISHED
CVSS 9.300000190734863 CRITICAL
In AWS Auth manager, the origin of the SAML authentication has been used as provided by the client and not verified against the actual instance URL. This allowed to gain access to different instances with potentially different access controls by reusing SAML response from other instances. You should upgrade to 9.22.0 version of provider if you use AWS Auth Manager.
EPSS 0.02% · 3.8th percentile
Risk Scores
CVSS v4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.02%
3.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| apache | airflow_providers_amazon | 8.0.0, 8.0.0, 8.0.0 |
| Apache Software Foundation | Apache Airflow Providers Amazon | 8.0.0, 8.0.0, 8.0.0 |
| PyPI | apache-airflow-providers-amazon | 0, 0, 0 |
Timeline
- Mar 9, 2026 CVE Published
- Mar 9, 2026 EPSS Score
- Mar 10, 2026 CVE Updated
- Mar 10, 2026 EPSS Score
- Mar 10, 2026 Security Advisory
- Mar 11, 2026 EPSS Score
- Mar 12, 2026 EPSS Score
- Mar 13, 2026 EPSS Score
- Mar 14, 2026 EPSS Score
- Mar 15, 2026 EPSS Score
- Mar 16, 2026 EPSS Score
- Mar 18, 2026 EPSS Score
References
- https://github.com/apache/airflow/pull/61368 patch
- https://lists.apache.org/thread/spwwrsmwxod7fpttcd7n7zs46j839l77 vendor-advisory
- http://www.openwall.com/lists/oss-security/2026/03/09/6 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-25604 advisory
- https://github.com/apache/airflow/commit/1a86aec01d827ba8caf41b645db56663a9a61850 url
- https://github.com/apache/airflow package