Log Server JWT Vulnerability in Apache Airflow
CVE-2026-45426

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-45426?

The vulnerability arises from a flaw in the authorization process of JWT tokens for Apache Airflow's Log server. When validating JWT's sub claim, the str.lstrip() method improperly handles path segments, leading to unauthorized log access. This flaw allows authenticated workers with valid tokens to potentially read logs from other DAGs sharing character-class prefixes with their DAG names. This could expose sensitive task outputs and error traces, compromising the per-DAG isolation and privacy expected in multi-team deployments. Users are urged to upgrade to Apache Airflow version 3.2.2 or later to mitigate this risk.

Affected Version(s)

Apache Airflow 3.0.0 < 3.2.2

References

https://github.com/apache/airflow/pull/66749

patch

https://lists.apache.org/thread/hz1q7vg65vq2h4fobv5ww8tp2...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
May 12, 2026

Credit

Michael Lip (theluckystrike)

Jarek Potiuk (@potiuk)

CVE-2026-45426 Data

JSON