Versions Affected: < 1.10.14 *Description*: Incorrect Session Validation in Airflow Webserver with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A.
This does not affect users who have changed the default value for `[webserver] secret_key` config. *Mitigation*: Change the default value for `[webserver] secret_key` config. *Credit*: Junghan Lee of Deliveryhero Korea Security Team Thanks, Kaxil, on behalf of Apache Airflow PMC
