Hi Airflow community, Please find below the information about a vulnerability which has been addressed in Apache Airflow v1.10.14.:
*CVE-2020-17526: Apache Airflow Incorrect Session Validation in Airflow Webserver with default config* *Description*: In Airflow < 1.10.14, Incorrect Session Validation in Airflow Webserver with default config allows a malicious Airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for `[webserver] secret_key` config. *Mitigation:*Change the default value for `[webserver] secret_key` config. *Credits*: Junghan Lee of Deliveryhero Korea Security Team Thanks. Kaxil @ Airflow PMC
