Description
JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Task SDK and potentially allow to modify state of Airflow Database for tasks.
Published: 2026-05-19
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A JWT token used by KubernetesExecutor workers is placed in the process command line, allowing users with only read-only access to pods to retrieve the token and use Airflow's Task SDK to perform privileged actions, potentially altering the Airflow database. The confidentiality and integrity of the system are therefore compromised.

Affected Systems

The vulnerability affects the Apache Airflow CNCF Kubernetes provider distributed by the Apache Software Foundation; specific product versions are not listed in the advisory and the issue applies to any installation that uses the KubernetesExecutor without the recent fix.

Risk and Exploitability

With a CVSS score of 8.7 the issue is considered high severity, yet its EPSS score is not provided and it is not catalogued in CISA KEV. The attack requires the attacker to have read-only Kubernetes pod access, which in many environments is available to staff or users with minimal privileges. Once the token is captured, the attacker can use the Airflow Task SDK to modify task state or alter database entries. The lack of an external escalation path suggests the risk is limited to the cluster but still serious for any deployment that exposes pods to untrusted users.

Generated by OpenCVE AI on May 19, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the Airflow release that includes the fix from PR 60108, which removes JWT tokens from command-line arguments.
  • Reconfigure Kubernetes RBAC or PodSecurityPolicies to restrict read access to pod command lines for non-trusted users.
  • Enable auditing and monitoring of Airflow API usage to detect abnormal token usage or task state changes.

Generated by OpenCVE AI on May 19, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow Cncf Kubernetes
Vendors & Products Apache
Apache airflow Cncf Kubernetes

Tue, 19 May 2026 20:30:00 +0000

Type Values Removed Values Added
References

Tue, 19 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Task SDK and potentially allow to modify state of Airflow Database for tasks.
Title Apache Airflow CNCF Kubernetes provider: JWT Token Exposure in KubernetesExecutor Command-Line Arguments
Weaknesses CWE-538
References

Subscriptions

Apache Airflow Cncf Kubernetes
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-19T19:57:11.716Z

Reserved: 2026-02-18T14:18:43.403Z

Link: CVE-2026-27173

cve-icon Vulnrichment

Updated: 2026-05-19T19:34:01.489Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-19T20:16:17.440

Modified: 2026-05-19T21:16:41.920

Link: CVE-2026-27173

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:15:15Z

Weaknesses