Primary

Context

Apache Airflow JWT Token Exposure in Logs Vulnerability

Vulnerability

Patched

A vulnerability exists in Apache Airflow versions 3.0.0 prior to 3.2.0, where JSON Web Tokens (JWT) used by tasks are logged in plain text. This exposure could potentially allow users interacting with the UI to impersonate DAG authors. The issue has been addressed in Airflow version 3.2.0.

Impact

The vulnerability allows for unauthorized actions to be performed as a DAG author, potentially leading to manipulation of workflows or data.

Reproduction

The vulnerability can be reproduced by running any DAG in Apache Airflow 3.1.7 with the official Airflow Helm Chart deployed. The JWT tokens will appear in the task logs.

Remediation

Users are advised to upgrade to Apache Airflow version 3.2.0, which includes the necessary fix.

Added: Apr 16, 2026, 2:32 PM

Updated: Apr 16, 2026, 2:32 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

5.0

exploitability

7.2

remediation

7.7

relevance

6.0

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

5.0

exploitability

7.2

remediation

7.7

relevance

6.0

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Airflow JWT Token Exposure in Logs Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Apache Airflow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating