Description
When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+



Users are recommended to upgrade to version 3.2.0, which fixes this issue.
Published: 2026-04-09
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access via reused JWT token
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises when Airflow fails to invalidate the JSON Web Token (JWT) after a user logs out. An attacker who can capture the active token—either by network interception or compromising the user’s environment—can reuse it to gain unauthorized access. This enables session hijacking and undermines confidentiality and integrity of authenticated sessions. The weakness aligns with CWE‑613, which addresses race conditions or improper invalidation of authentication tokens.

Affected Systems

The weakness affects the Apache Airflow workflow orchestration platform maintained by the Apache Software Foundation. Versions older than 3.2.0 lack the logout token invalidation fix and are therefore vulnerable. Users running any Airflow release prior to 3.2.0 should check for an update.

Risk and Exploitability

The CVSS base score of 9.1 categorises the issue as critical, but the EPSS score below 1% indicates a low probability of active exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, if an attacker succeeds in intercepting a JWT token, the path to exploitation is straightforward: the token can be replayed to obtain authenticated access. The likely attack vector is interception of traffic or compromised client environments, which is inferred from the need to capture the token.

Generated by OpenCVE AI on April 9, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Apache Airflow 3.2.0 or newer.

Generated by OpenCVE AI on April 9, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c92r-g8j5-vhcx Apache Airflow: JWT token still valid after logout
History

Fri, 17 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow
Vendors & Products Apache
Apache airflow

Thu, 09 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Thu, 09 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Description When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+ Users are recommended to upgrade to version 3.2.0, which fixes this issue.
Title Apache Airflow: Airflow Logout Not Invalidating JWT
Weaknesses CWE-613
References

Subscriptions

Apache Airflow
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-09T17:25:08.801Z

Reserved: 2025-08-18T21:00:19.983Z

Link: CVE-2025-57735

cve-icon Vulnrichment

Updated: 2026-04-09T17:25:08.801Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T11:16:20.757

Modified: 2026-04-17T13:03:16.150

Link: CVE-2025-57735

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:32:53Z

Weaknesses