Token Reuse Vulnerability in Apache Airflow by Apache
CVE-2025-57735

Currently unrated

Key Information:

Vendor

Apache
Status
Apache Airflow
Vendor
CVE Published:
9 April 2026

What is CVE-2025-57735?

A security flaw in Apache Airflow allows the reuse of JWT tokens by failing to invalidate user tokens upon logout. If an attacker intercepts a valid token, they could gain unauthorized access, potentially compromising sensitive data and user accounts. The issue has been addressed in Apache Airflow version 3.2.0 and later, which now implements essential token invalidation protocols to enhance security during logout scenarios.

Affected Version(s)

Apache Airflow 3.0.0 < 3.2.0

References

https://github.com/apache/airflow/pull/61339
patch
https://github.com/apache/airflow/pull/56633
patch
https://lists.apache.org/thread/ovn8mpd8zkc604hojt7x3wsw3...
vendor-advisory

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Saurabh Banawar
Anish Giri
vincent beck
.