Description
A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not actually reach the underlying `revoke_token()` call, so the JWT remained accepted by the API server until its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to make authenticated API calls as that user. Affects deployments configured with `FabAuthManager` or `KeycloakAuthManager` (the bug does not affect SimpleAuthManager). This is a residual gap in the fix for CVE-2025-57735, which addressed cookie-side invalidation in PR #57992 / PR #61339 but did not cover the provider-side `revoke_token()` reachability in the FAB / Keycloak code paths. Users who already upgraded for CVE-2025-57735 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the FAB / Keycloak logout paths.
Published: 2026-06-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bug causes the logout process in Apache Airflow's FabAuthManager and KeycloakAuthManager not to invoke revoke_token(). As a result, JWT tokens previously issued remain valid after a user logs out. Attackers who possess a JWT for a logged‑out user can continue to make authenticated API calls, effectively bypassing the intended session termination. This omission creates a residual gap that allows unauthorized API access until the token expires naturally.

Affected Systems

The flaw affects installations of Apache Airflow that have configured either FabAuthManager or KeycloakAuthManager for authentication. Versions before 3.2.2 contain the bug, while the issue was fixed in apache-airflow 3.2.2 and later. Deployments using SimpleAuthManager are not impacted. Users who previously applied the fix for CVE-2025-57735 should also upgrade to 3.2.2 or newer to secure the logout paths.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of < 1% suggests a low likelihood of exploitation. The vulnerability permits continued exploitation of a legitimate user’s token after logout, granting unauthorized access to protected API endpoints. The attack requires the attacker to have a JWT that was issued before the user logged out, a condition that can occur if the token was intercepted or reused. In the absence of KEV designation, no known active exploits are reported, but the risk remains medium to high for environments where token theft or reuse is possible.

Generated by OpenCVE AI on June 2, 2026 at 19:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Airflow to version 3.2.2 or later to apply the fix that ensures revoke_token() is reached during logout, addressing the session expiration weakness (CWE‑613).
  • Confirm that the updated authentication manager now performs the token revocation check and does not allow lingering tokens after logout. This actively mitigates the CWE‑613 vulnerability by enforcing proper session termination.
  • If an immediate upgrade is not possible, implement a temporary measure at the API gateway or application layer to reject tokens that belong to users who have logged out, thereby compensating for the missing session expiration protection until the patch can be applied.

Generated by OpenCVE AI on June 2, 2026 at 19:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow
CPEs cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache airflow

Tue, 02 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not actually reach the underlying `revoke_token()` call, so the JWT remained accepted by the API server until its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to make authenticated API calls as that user. Affects deployments configured with `FabAuthManager` or `KeycloakAuthManager` (the bug does not affect SimpleAuthManager). This is a residual gap in the fix for CVE-2025-57735, which addressed cookie-side invalidation in PR #57992 / PR #61339 but did not cover the provider-side `revoke_token()` reachability in the FAB / Keycloak code paths. Users who already upgraded for CVE-2025-57735 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the FAB / Keycloak logout paths.
Title Apache Airflow: revoke_token() unreachable in FabAuthManager / KeycloakAuthManager logout path
Weaknesses CWE-613
References

Subscriptions

Apache Airflow
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-02T16:43:28.651Z

Reserved: 2026-05-22T18:59:34.389Z

Link: CVE-2026-48726

cve-icon Vulnrichment

Updated: 2026-06-02T16:03:36.795Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T09:16:20.187

Modified: 2026-06-03T02:06:43.287

Link: CVE-2026-48726

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:15:16Z

Weaknesses
  • CWE-613

    Insufficient Session Expiration