CVE-2026-48726 - Vulnerability Details

Description

A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not actually reach the underlying `revoke_token()` call, so the JWT remained accepted by the API server until its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to make authenticated API calls as that user. Affects deployments configured with `FabAuthManager` or `KeycloakAuthManager` (the bug does not affect SimpleAuthManager). This is a residual gap in the fix for CVE-2025-57735, which addressed cookie-side invalidation in PR #57992 / PR #61339 but did not cover the provider-side `revoke_token()` reachability in the FAB / Keycloak code paths. Users who already upgraded for CVE-2025-57735 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the FAB / Keycloak logout paths.

Published: 2026-06-01

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The bug causes the logout process in Apache Airflow's FabAuthManager and KeycloakAuthManager not to invoke revoke_token(). As a result, JWT tokens previously issued remain valid after a user logs out. Attackers who possess a JWT for a logged‑out user can continue to make authenticated API calls, effectively bypassing the intended session termination. This omission creates a residual gap that allows unauthorized API access until the token expires naturally.

Affected Systems

The flaw affects installations of Apache Airflow that have configured either FabAuthManager or KeycloakAuthManager for authentication. Versions before 3.2.2 contain the bug, while the issue was fixed in apache-airflow 3.2.2 and later. Deployments using SimpleAuthManager are not impacted. Users who previously applied the fix for CVE-2025-57735 should also upgrade to 3.2.2 or newer to secure the logout paths.

Risk and Exploitability

Although CVSS and EPSS scores are not published, the vulnerability permits continued exploitation of a legitimate user’s token after logout, granting unauthorized access to protected API endpoints. The attack requires the attacker to have a JWT that was issued before the user logged out, a condition that can occur if the token was intercepted or reused. In the absence of KEV designation, no known active exploits are reported, but the risk remains medium to high for environments where token theft or reuse is possible.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache Airflow

unaffected

Version	Status	Constraints
`0`	affected	< 3.2.2

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Apache Airflow to version 3.2.2 or later, ensuring that the logout flow includes token revocation for FabAuthManager and KeycloakAuthManager.
Verify that the authentication manager configuration remains unchanged after the upgrade and that revoke_token() is reachable during logout.
If an immediate upgrade is not feasible, consider temporarily disabling logout or enforcing token invalidation at the API gateway or application layer until the fix is applied.

Generated by OpenCVE AI on June 1, 2026 at 10:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/apache/airflow/pull/67289
https://lists.apache.org/thread/630jg4z6cjkv4m2yv2ljgmf1zhdj1vqx
https://www.cve.org/CVERecord?id=CVE-2025-57735

History

Mon, 01 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not actually reach the underlying `revoke_token()` call, so the JWT remained accepted by the API server until its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to make authenticated API calls as that user. Affects deployments configured with `FabAuthManager` or `KeycloakAuthManager` (the bug does not affect SimpleAuthManager). This is a residual gap in the fix for CVE-2025-57735, which addressed cookie-side invalidation in PR #57992 / PR #61339 but did not cover the provider-side `revoke_token()` reachability in the FAB / Keycloak code paths. Users who already upgraded for CVE-2025-57735 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the FAB / Keycloak logout paths.
Title		Apache Airflow: revoke_token() unreachable in FabAuthManager / KeycloakAuthManager logout path
Weaknesses		CWE-613
References		https://github.com/apache/airflow/pull/67289 https://lists.apache.org/thread/630jg4z6cjkv4m2yv2ljgmf1zhdj1vqx https://www.cve.org/CVERecord?id=CVE-2025-57735

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-06-01T07:35:19.270Z

Updated: 2026-06-01T07:35:19.270Z

Reserved: 2026-05-22T18:59:34.389Z

Link: CVE-2026-48726

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-01T09:16:20.187

Modified: 2026-06-01T09:16:20.187

Link: CVE-2026-48726

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-01T10:45:26Z

Weaknesses

CWE-613

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object