Description
JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors.
Users are advised to upgrade to Airflow version that contains fix.

Users are recommended to upgrade to version 3.2.0, which fixes this issue.
Published: 2026-04-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via exposed JWT tokens
Action: Patch
AI Analysis

Impact

JWT tokens used by Apache Airflow tasks were recorded in log files. Anyone who can read these logs, such as a UI user, would obtain a token that grants the authority of a Dag Author. Using that token, an attacker could create, modify, or delete DAG definitions, potentially injecting malicious code or causing unauthorized data processing.

Affected Systems

The vulnerability affects installations of Apache Airflow maintained by the Apache Software Foundation. Versions prior to 3.2.0 have not applied the fix, so any release older than 3.2.0 is susceptible.

Risk and Exploitability

The EPSS score is < 1%, indicating a low likelihood of exploitation, and the issue is not listed in the KEV catalog, so official exploitation data is sparse. The attack vector is inferred to be through the Airflow UI or any process that reads the application logs; thus, individuals with log access pose a risk. The CVSS score is 7.5, reflecting a moderate to high impact if exploited.

Generated by OpenCVE AI on April 18, 2026 at 09:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Airflow to version 3.2.0 or later, which removes the log exposure.
  • Scan existing log files for any recorded JWT tokens, delete or rotate those logs, and ensure that previous versions are cleaned.
  • Adjust the logging configuration to mask or omit sensitive fields such as JWTs in future logs.

Generated by OpenCVE AI on April 18, 2026 at 09:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-phv5-vq5p-qhp7 Apache Airflow: JWT token appearing in logs
History

Mon, 20 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

Sat, 18 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Thu, 16 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow
Vendors & Products Apache
Apache airflow

Thu, 16 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Description JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue.
Title Apache Airflow: JWT token appearing in logs
Weaknesses CWE-532
References

Subscriptions

Apache Airflow
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-18T02:28:44.770Z

Reserved: 2026-03-10T18:31:09.400Z

Link: CVE-2026-31987

cve-icon Vulnrichment

Updated: 2026-04-16T18:24:29.466Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-16T14:16:13.490

Modified: 2026-04-20T16:54:59.767

Link: CVE-2026-31987

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:30:25Z

Weaknesses