Security Flaw in Apache Airflow's KubernetesExecutor Exposing JWT Tokens
CVE-2026-49298

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-49298?

A flaw in the KubernetesExecutor of Apache Airflow allows JWT tokens used for authenticating worker pods against the Execution API to be visible in command-line arguments within the pod spec. Users with read-only access in Kubernetes can exploit this issue to retrieve these tokens from 'kubectl describe pod' output. By obtaining these tokens, an attacker can invoke state-modifying operations via the Execution API, such as triggering DAG runs and manipulating Variables or Connections. Users are recommended to upgrade to Apache Airflow version 3.2.2 or newer to mitigate this vulnerability, which complements earlier fixes provided in related advisories.

Affected Version(s)

Apache Airflow 0 < 3.2.2

References

https://github.com/apache/airflow/pull/60108

patch

https://lists.apache.org/thread/wo09vrks8189dzsot39rvrx3v...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
May 28, 2026

Credit

Nikolai Dvoinishnikov (nikdvy@gmail.com)

Anton Kuznetsov (piratusxp@gmail.com)

Anish Giri

CVE-2026-49298 Data

JSON