GHSA-vr7m-c6v4-8cx8
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
6Blast Radius
ecosystem impact- 8 pypi packages depend on apache-airflow (4 direct, 4 indirect)
Ecosystem-wide dependent count for version 3.2.2.
Description PRE-NVD
AnalysisAI
JWT session tokens remain valid after logout in Apache Airflow deployments using FabAuthManager or KeycloakAuthManager due to an unreachable revoke_token() call in the logout code path. Versions before 3.2.2 are affected. When the configured auth manager returns an external redirect URL on logout (as Keycloak-backed deployments do), the logout handler redirects the browser before invoking revoke_token(), leaving the JWT - with its embedded jti claim - unregistered in the RevokedToken table and therefore still accepted by the API. No public exploit is identified at time of analysis, and EPSS exploitation probability stands at 0.01% (4th percentile), but the impact is meaningful in environments where session hijacking or token theft is a realistic threat model.
Technical ContextAI
Apache Airflow's FastAPI-based REST API (airflow-core/src/airflow/api_fastapi/core_api/routes/public/auth.py) issues JWT access tokens stored as cookies, identified by a jti (JWT ID) claim. The RevokedToken mechanism is designed to blocklist tokens server-side upon logout, compensating for JWTs' inherent statelessness. CWE-613 (Insufficient Session Expiration) is the root cause class: the token's expiry was never actively enforced on logout when an external identity provider is involved. The defect arises specifically when get_url_logout() on FabAuthManager or KeycloakAuthManager returns a non-None redirect URL - the logout route performed a 307 redirect before reaching the revoke_token() call, rendering revocation dead code in those auth manager configurations. Affected versions span Apache Airflow 0 through 3.2.2 (exclusive) per EUVD-2026-33581 CPE data.
RemediationAI
Upgrade Apache Airflow to version 3.2.2 or later, which contains the fix confirmed in upstream PR #67289. The patch reorders the logout handler to call auth_manager.revoke_token(token_str) before any redirect is issued, ensuring the token's jti is registered in the RevokedToken blocklist regardless of whether the auth manager redirects to an external IdP URL. The Apache advisory is at https://lists.apache.org/thread/630jg4z6cjkv4m2yv2ljgmf1zhdj1vqx. If immediate upgrade is not feasible and you are using an external auth manager with a logout redirect URL, a compensating control is to shorten JWT token TTL to the minimum operationally tolerable value in Airflow's configuration (api.access_token_lifetime_in_seconds), reducing the window during which a post-logout token remains valid. Note this trade-off: shorter TTLs increase re-authentication friction for users. Revoking session cookies server-side or deploying a reverse proxy that clears the JWT cookie on logout does not address the server-side RevokedToken gap and is not a sufficient standalone mitigation.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33581