{"schema_version": "1.6.1", "id": "CVE-2020-17526", "summary": "Incorrect Session Validation in Airflow Webserver with default config in Apache Airflow", "details": "Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A.  This does not affect users who have changed the default value for `[webserver] secret_key` config.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "Apache Airflow"}, {"fixed": "1.10.14"}]}]}], "references": [{"type": "ADVISORY", "url": "https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E"}]}