Security Flaw in Apache Airflow's KubernetesExecutor Exposing JWT Tokens
CVE-2026-49298

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-49298?

A flaw in the KubernetesExecutor of Apache Airflow allows JWT tokens used for authenticating worker pods against the Execution API to be visible in command-line arguments within the pod spec. Users with read-only access in Kubernetes can exploit this issue to retrieve these tokens from 'kubectl describe pod' output. By obtaining these tokens, an attacker can invoke state-modifying operations via the Execution API, such as triggering DAG runs and manipulating Variables or Connections. Users are recommended to upgrade to Apache Airflow version 3.2.2 or newer to mitigate this vulnerability, which complements earlier fixes provided in related advisories.

Affected Version(s)

Apache Airflow 0 < 3.2.2

References

https://github.com/apache/airflow/pull/60108

patch

https://lists.apache.org/thread/wo09vrks8189dzsot39rvrx3v...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
May 28, 2026

Credit

Nikolai Dvoinishnikov (nikdvy@gmail.com)

Anton Kuznetsov (piratusxp@gmail.com)

Anish Giri

CVE-2026-49298 Data

JSON