Log Server JWT Vulnerability in Apache Airflow
CVE-2026-45426

3.1LOW

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-45426?

The vulnerability arises from a flaw in the authorization process of JWT tokens for Apache Airflow's Log server. When validating JWT's sub claim, the str.lstrip() method improperly handles path segments, leading to unauthorized log access. This flaw allows authenticated workers with valid tokens to potentially read logs from other DAGs sharing character-class prefixes with their DAG names. This could expose sensitive task outputs and error traces, compromising the per-DAG isolation and privacy expected in multi-team deployments. Users are urged to upgrade to Apache Airflow version 3.2.2 or later to mitigate this risk.

Affected Version(s)

Apache Airflow 3.0.0 < 3.2.2

References

https://github.com/apache/airflow/pull/66749

patch

https://lists.apache.org/thread/hz1q7vg65vq2h4fobv5ww8tp2...

vendor-advisory

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
May 12, 2026

Credit

Michael Lip (theluckystrike)

Jarek Potiuk (@potiuk)

CVE-2026-45426 Data

JSON