By weakness (CWE)
CWE-614: related vulnerabilities
CVEs classified under CWE-614. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
2 published vulnerabilities
- CVE-2026-41017MEDIUM 5.9
Apache Airflow's JWT authentication middleware fails to mark session cookies as secure, exposing them to interception when the API server sits behind a TLS-terminating reverse proxy—a standard cloud architecture. An attacker on a shared network (public Wi-Fi, compromised LAN, or captive portal) can intercept an authenticated user's session token and replay it to gain API access. The vulnerability only materializes in specific deployment topologies where the reverse proxy strips HTTPS before forwarding to Airflow; teams running Airflow with end-to-end encryption or without reverse proxies are not affected. Apache Airflow 3.2.2 and later patch this issue.
- CVE-2025-52608LOW 3.1
HCL iControl contains a cookie security misconfiguration that leaves session identifiers and authentication tokens vulnerable to interception and cross-site request forgery attacks. The vulnerability stems from the absence of the Secure and SameSite cookie attributes, combined with an overly permissive cookie path set to root. While the immediate risk is moderate, this configuration flaw can enable attackers to hijack user sessions or trick authenticated users into performing unintended actions.