Exposure of JWT Tokens in Apache Airflow Logs
CVE-2026-31987

Currently unrated

Key Information:

Vendor

Apache
Status
Apache Airflow
Vendor
CVE Published:
16 April 2026

What is CVE-2026-31987?

An exposure of JWT tokens used by tasks in Apache Airflow occurred due to logging practices. This vulnerability allows users with UI access to perform actions similar to authorized Dag authors, potentially compromising the integrity of the data workflows. Users are strongly advised to upgrade to version 3.2.0 or later to mitigate this issue and enhance security.

Affected Version(s)

Apache Airflow 3.0.0 < 3.2.0

References

https://github.com/apache/airflow/pull/62964
patch
https://github.com/apache/airflow/issues/62428
issue-tracking
https://github.com/apache/airflow/issues/62773
issue-tracking

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

unixengineer
Jason Imison
Pineapple
.