Skip to main content

Apache Airflow EUVDEUVD-2026-23233

| CVE-2026-31987 HIGH
Insertion of Sensitive Information into Log File (CWE-532)
2026-04-16 apache GHSA-phv5-vq5p-qhp7
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

7
Re-analysis Queued
Apr 20, 2026 - 17:07 vuln.today
cvss_changed
Analysis Generated
Apr 18, 2026 - 04:22 vuln.today
CVSS changed
Apr 18, 2026 - 04:22 NVD
7.5 (HIGH)
EUVD ID Assigned
Apr 16, 2026 - 14:00 euvd
EUVD-2026-23233
Analysis Generated
Apr 16, 2026 - 14:00 vuln.today
Patch released
Apr 16, 2026 - 14:00 nvd
Patch available
CVE Published
Apr 16, 2026 - 13:31 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 pypi packages depend on apache-airflow (2 direct, 2 indirect)

Ecosystem-wide dependent count for version 3.0.0.

DescriptionCVE.org

JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix.

Users are recommended to upgrade to version 3.2.0, which fixes this issue.

AnalysisAI

Apache Airflow 3.0.0 through 3.1.x exposes JWT authentication tokens in application logs, allowing any authenticated UI user with log access to escalate privileges and impersonate DAG Authors. CVSS rates this 7.5 HIGH for confidentiality impact, though the EPSS score of 0.02% (5th percentile) suggests minimal observed exploitation attempts. No active exploitation is confirmed; vendor patch available in version 3.2.0 released April 2026.

Technical ContextAI

Apache Airflow is a workflow orchestration platform where users execute data pipelines (DAGs). The platform uses JWT tokens for task authentication, allowing task processes to authenticate back to the Airflow API. CWE-532 (Insertion of Sensitive Information into Log File) indicates these tokens were logged in plaintext, likely during task execution or API interactions. JWT tokens typically contain claims that identify the principal (user/service) and their permissions. In Airflow's role-based access model, DAG Authors have elevated privileges to create and modify workflows, while UI users may have restricted read-only access. Exposure of DAG Author tokens allows horizontal privilege escalation within the application. The vulnerability affects Apache Airflow versions 3.0.0 through all 3.1.x releases, as confirmed by CPE cpe:2.3:a:apache_software_foundation:apache_airflow and EUVD version ranges. The fix was implemented in GitHub PR #62964 and released in version 3.2.0.

RemediationAI

Upgrade to Apache Airflow 3.2.0 or later, which removes JWT token logging (fix implemented in GitHub PR https://github.com/apache/airflow/pull/62964). Refer to the official Apache advisory at https://lists.apache.org/thread/pvsrtxzwo9xy6xgknmwslv4zrw70kt6g for upgrade guidance. For environments unable to immediately upgrade, implement compensating controls: restrict access to Airflow logs to only users who already possess DAG Author privileges (reducing the privilege escalation opportunity), enable log encryption at rest, configure log retention policies to minimize exposure window (delete logs containing tokens after archival requirements are met, noting this may impact forensic capabilities), and monitor for anomalous API calls using JWT tokens associated with logged-out or unexpected user sessions (implement JWT replay detection, though this adds operational overhead and may generate false positives during legitimate task retries). Review historical logs accessible to UI users and rotate credentials for any DAG Authors whose tokens may have been exposed. Note that log access restrictions may conflict with debugging workflows if developers require log visibility.

CVE-2026-33264 CRITICAL
9.8 Jul 07

Remote code execution in Apache Airflow before 3.3.0 lets a DAG author embed a malicious trigger whose attacker-controll

CVE-2026-30898 HIGH
8.8 Apr 18

Command injection in Apache Airflow's BashOperator documentation example allows authenticated attackers to escalate priv

CVE-2025-54550 HIGH
8.1 Apr 15

The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xco

CVE-2026-30911 HIGH
8.1 Mar 17

CVE-2026-30911 is a security vulnerability (CVSS 8.1) that allows any authenticated task instance. High severity vulnera

CVE-2026-28779 HIGH
7.5 Mar 17

CVE-2026-28779 is a security vulnerability (CVSS 7.5) that allows any application co-hosted under the same domain. High

CVE-2026-32228 HIGH
7.5 Apr 18

Apache Airflow 3.0.x prior to 3.2.0 allows remote unauthenticated attackers to trigger unauthorized DAG (Directed Acycli

CVE-2026-49296 MEDIUM
6.5 Jul 07

{dag_id}` endpoint and its UI equivalent perform authorization only on the requested DAG identifier, not on the full fil

CVE-2026-49487 MEDIUM
6.5 Jul 07

Apache Airflow REST API exposes provider secrets in plaintext through the task-instance detail and list endpoints when t

CVE-2026-48828 MEDIUM
6.5 Jul 07

Sensitive credential exposure in Apache Airflow's Bulk Variables API allows authenticated users with bulk Variable read

CVE-2026-48892 MEDIUM
6.5 Jul 07

Apache Airflow's Config API leaks plaintext secrets-backend credentials to authenticated users with Config read permissi

CVE-2026-26929 MEDIUM
6.5 Mar 17

CVE-2026-26929 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management proce

CVE-2026-48891 MEDIUM
4.3 Jul 07

Incomplete authorization filtering in Apache Airflow's `/ui/dependencies` scheduling graph endpoint exposes restricted D

Share

EUVD-2026-23233 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy