Apache Airflow versions 3.1.0 through 3.1.7 session token (_token) in cookies is set to path=/ regardless of the configured [webserver] base_url or [api] base_u…

Apache Airflow versions 3.1.0 through 3.1.7 contain a vulnerability where session tokens in cookies are incorrectly set to path=/ regardless of configured base URLs. This misconfiguration allows any co-hosted application under the same domain to capture valid Airflow session tokens from HTTP headers, enabling complete session takeover without directly attacking Airflow. The vulnerability affects the cookie path setting mechanism and bypasses intended access restrictions. Users should upgrade to Apache Airflow 3.1.8 or later to resolve this issue. The flaw represents a significant security risk for organizations running multiple applications on shared domains.