CVE-2026-31987
Received
Received - Intake
JWT Token Exposure in Apache Airflow Allows Privilege Escalation
Publication date: 2026-04-16
Last updated on: 2026-04-20
Assigner: Apache Software Foundation
Description
Description
JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors.
Users are advised to upgrade to Airflow version that contains fix.
Users are recommended to upgrade to version 3.2.0, which fixes this issue.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | airflow | From 3.0.0 (inc) to 3.2.0 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves JWT tokens used by tasks being exposed in logs. Because these tokens were logged, unauthorized UI users could potentially use them to impersonate Dag Authors.
How can this vulnerability impact me? :
The exposure of JWT tokens in logs can allow unauthorized users to gain elevated permissions by acting as Dag Authors. This could lead to unauthorized access or modifications within the Airflow environment.
What immediate steps should I take to mitigate this vulnerability?
Users are advised to upgrade to Airflow version 3.2.0, which contains the fix for this vulnerability.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70