Compliance Impact

This vulnerability allows previously-issued JWT tokens to remain valid after a user logs out, enabling an attacker holding such tokens to continue making authenticated API calls as that user.

Such a flaw can impact compliance with standards and regulations like GDPR and HIPAA, which require proper session termination and protection of user data to prevent unauthorized access.

Failure to properly invalidate authentication tokens after logout may lead to unauthorized data access, potentially violating data protection and privacy requirements mandated by these regulations.

Useful 0 Not Useful 0

Executive Summary

This vulnerability in Apache Airflow affects the logout handling of certain authentication managers, specifically FabAuthManager and KeycloakAuthManager. When a user logs out via the UI, the system fails to properly invalidate previously issued JSON Web Tokens (JWT). This happens because the logout flow does not reach the revoke_token() function, leaving the JWT tokens valid until they naturally expire.

As a result, an attacker who holds a previously issued JWT for a logged-out user can continue to make authenticated API calls as that user, effectively bypassing the logout process.

The issue was a residual gap from a previous fix (CVE-2025-57735) that addressed cookie invalidation but did not cover token revocation on the provider side for these auth managers. The fix involves ensuring revoke_token() is called before any early return in the logout flow, guaranteeing JWT tokens are invalidated properly.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to continue using a valid JWT token even after the legitimate user has logged out. This means the attacker can make authenticated API calls impersonating the logged-out user.

The impact includes unauthorized access to user-specific data and actions within Apache Airflow, potentially leading to data exposure, unauthorized operations, or privilege escalation depending on the user's permissions.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves JWT tokens remaining valid after logout when using FabAuthManager or KeycloakAuthManager in Apache Airflow. Detection would involve checking if JWT tokens issued before logout are still accepted by the API server.

You can monitor API calls to the Airflow server and verify if tokens that should have been revoked are still accepted. For example, capturing and inspecting HTTP requests to the /auth/logout endpoint and subsequent API calls using previously issued JWT tokens.

A practical approach is to use tools like curl or HTTP clients to test token validity before and after logout:

• 1. Obtain a JWT token by logging in.
• 2. Call the /auth/logout endpoint with the token.
• 3. Attempt to make an authenticated API call using the same token after logout.

If the API call succeeds, the token was not revoked properly, indicating the vulnerability.

Example curl commands:

• curl -H "Authorization: Bearer <JWT_TOKEN>" https://<airflow-server>/api/v1/some_endpoint
• curl -X POST -H "Authorization: Bearer <JWT_TOKEN>" https://<airflow-server>/auth/logout
• Then repeat the first curl command to check if the token is still accepted.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Apache Airflow to version 3.2.2 or later, which includes the fix ensuring that JWT tokens are properly revoked during logout for FabAuthManager and KeycloakAuthManager.

If upgrading immediately is not possible, consider temporarily disabling the use of FabAuthManager or KeycloakAuthManager, or enforce short JWT token lifetimes to reduce the window of exposure.

Additionally, monitor and audit API usage to detect any unauthorized use of tokens after logout.

Useful 0 Not Useful 0