A vulnerability, which was classified as problematic , has been found in Apache Airflow up to 3.2.1 . This vulnerability affects unknown code of the component JWTRefreshMiddleware . Performing a manipulation results in sensitive cookie without secure attribute. This vulnerability is reported as CVE-2026-41017 . The attack is possible to be carried out remotely. No exploit exists. It is advisable to upgrade the affected component.