Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
6Blast Radius
ecosystem impact- 4 pypi packages depend on apache-airflow (2 direct, 2 indirect)
Ecosystem-wide dependent count for version 3.0.0.
DescriptionCVE.org
When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+
Users are recommended to upgrade to version 3.2.0, which fixes this issue.
AnalysisAI
Apache Airflow 3.0.0 through 3.1.x fails to invalidate JWT tokens at logout, allowing intercepted tokens to remain valid for unauthorized API access. This session management weakness enables replay attacks against the workflow orchestration platform's REST API. No active exploitation confirmed (EPSS 3rd percentile), but SSVC rates as automatable with partial technical impact. Vendor-released patch: Apache Airflow 3.2.0.
Technical ContextAI
Apache Airflow is a workflow orchestration platform that uses JWT (JSON Web Token) authentication for its REST API. The vulnerability stems from improper session termination (CWE-613: Insufficient Session Expiration). When users authenticated to Airflow's web interface and logged out, the application failed to add the JWT to a revocation list or otherwise mark it as invalid. JWTs are cryptographically signed tokens that typically include an expiration timestamp but no server-side state. Without explicit invalidation mechanisms like token blacklisting or database-backed session tracking, a valid JWT remains usable until its built-in expiration time passes. The affected CPE (cpe:2.3:a:apache:airflow) covers versions 3.0.0 through 3.1.x. Airflow 3.2.0 introduced a token invalidation mechanism, likely implemented via the referenced GitHub pull requests 56633 and 61339, which may use Redis-backed token blacklisting, database session tables, or JTI (JWT ID) tracking to prevent reuse of logged-out tokens.
RemediationAI
Upgrade to Apache Airflow 3.2.0 or later, which implements JWT token invalidation at logout via changes in GitHub pull requests 56633 and 61339. Before patching, implement compensating controls: reduce JWT token expiration times to minimize the replay window (edit airflow.cfg webserver.access_token_expiration to 600 seconds or less, noting this requires users to re-authenticate more frequently), enforce HTTPS for all Airflow web interfaces to prevent passive token interception (configure webserver.web_server_ssl_cert and web_server_ssl_key), restrict network access to Airflow's webserver port (default 8080) to trusted IP ranges via firewall rules (reduces token exposure surface but does not prevent replay attacks from allowed networks), and implement short-lived refresh tokens if customizing authentication (requires code changes and operational complexity). Monitor for anomalous API access patterns such as simultaneous sessions from different IP addresses or access after logout events in webserver logs. Note that reducing token expiration creates operational friction for legitimate users who must authenticate more frequently. No workaround fully mitigates the issue; upgrade to 3.2.0 is the only complete fix. Advisory: https://lists.apache.org/thread/ovn8mpd8zkc604hojt7x3wsw3kc60x98.
The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but th
An issue was found in Apache Airflow versions 1.10.10 and below. Rated high severity (CVSS 8.8), this vulnerability is r
The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. Rated critical severity (CV
An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability
A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arb
In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them
Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a maliciou
Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.6.0. Rated critical severit
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Fou
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airfl
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airfl
In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixa
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209371
GHSA-c92r-g8j5-vhcx