Executive Summary

This vulnerability exists in Apache Airflow's Log server JWT authorization mechanism. It arises because the code uses Python's str.lstrip() function to verify JWT tokens against Dag IDs. However, str.lstrip() removes any combination of specified characters from the start of a string, not a fixed prefix. As a result, a JWT issued for a Dag named, for example, 'dag_a' could incorrectly authorize access to logs of other Dags whose names begin with any subset of the characters {d, a, g, _}, such as 'dag_attacker' or 'aaaa_target'.

An attacker who is already an authenticated Airflow worker holding a valid Log-server JWT for at least one Dag can exploit this flaw to enumerate and read logs of other Dags beyond the intended per-Dag isolation boundary.

This issue mainly affects deployments that rely on per-Dag log-access scoping, such as multi-team, shared-executor, or shared-worker topologies. The vulnerability was fixed by replacing str.lstrip() with str.removeprefix() to correctly match the exact prefix during JWT validation.

Useful 0 Not Useful 0

Impact Analysis

If you are running an Apache Airflow deployment that uses per-Dag log-access scoping, this vulnerability allows an authenticated Airflow worker to access logs of other Dags that they should not have permission to see.

This can lead to unauthorized disclosure of sensitive information contained in task outputs and error traces from other teams or workflows, potentially exposing confidential data or internal system details.

Such unauthorized log access can undermine data isolation policies and increase the risk of information leakage within shared or multi-tenant Airflow environments.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying whether your Apache Airflow deployment is running a version prior to 3.2.2 and if it uses per-Dag log-access scoping with authenticated workers holding Log-server JWT tokens.

Since exploitation requires an authenticated Airflow worker with a valid Log-server JWT, monitoring for unusual log access patterns where a worker accesses logs of Dags with names sharing character subsets with their authorized Dag could indicate exploitation.

Specific commands to detect this vulnerability are not provided in the available resources.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Apache Airflow to version 3.2.2 or later, where the vulnerability has been fixed by replacing the use of Python's `str.lstrip()` with `str.removeprefix()` for JWT verification.

Until the upgrade can be performed, restrict access to the Airflow Log server to trusted authenticated workers only, and monitor for suspicious log access patterns that could indicate unauthorized log enumeration.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an authenticated Airflow worker to access logs of other Dags beyond their authorized scope, potentially exposing task output and error traces that should remain isolated per Dag.

Such unauthorized access to potentially sensitive log data could lead to violations of data protection and privacy regulations like GDPR or HIPAA, which require strict access controls and data isolation to protect personal or sensitive information.

Therefore, deployments relying on per-Dag log-access scoping may face compliance risks if this vulnerability is exploited, as it undermines the intended access restrictions and could result in unauthorized data disclosure.

Users are advised to upgrade to Apache Airflow 3.2.2 or later to mitigate this risk and maintain compliance with such standards.

Useful 0 Not Useful 0