Security Flaw in Apache Airflow's Auth Manager Affects User Session Management
CVE-2026-48726

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-48726?

A vulnerability in Apache Airflow's authentication management system allows for previously-issued JWT tokens to remain valid even after a user logs out. This occurs because the logout processes for FabAuthManager and KeycloakAuthManager fail to properly execute the underlying token revocation, leaving access tokens active until their expiration. As a result, malicious actors can exploit this weakness to perform unauthorized API calls on behalf of users who believed they had securely logged out. Upgrading to Apache Airflow 3.2.2 or later is crucial for mitigating this issue, especially for configurations utilizing these auth managers.

Affected Version(s)

Apache Airflow 0 < 3.2.2

References

https://github.com/apache/airflow/pull/67289

patch

https://www.cve.org/CVERecord?id=CVE-2025-57735

https://lists.apache.org/thread/630jg4z6cjkv4m2yv2ljgmf1z...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
May 22, 2026

Credit

Bernardo Curi (r3ngar_bugado)

pierrejeambrun

CVE-2026-48726 Data

JSON