Apache Airflow 3.0.x Exposed JWTs Through Logout and Logging Flaws
Apache disclosed two JWT-related vulnerabilities in Apache Airflow affecting versions 3.0.0 before 3.2.0. The first, CVE-2025-57735, is a low-severity flaw in which logout did not invalidate authentication JWTs, leaving intercepted tokens usable after a user signed out. The second, CVE-2026-31987, is a moderate-severity issue that caused task JWTs to appear in logs, potentially exposing credentials to users who could then act as DAG authors.
Apache said both issues are fixed in Airflow 3.2.0, which adds token invalidation on logout and removes the logging exposure. Organizations running affected releases have been advised to upgrade to 3.2.0 or later, particularly where shared log access or concerns about token reuse could increase the risk of unauthorized access and privilege escalation.
Timeline
Apr 16, 2026
Apache discloses CVE-2026-31987 for JWT tokens exposed in Airflow logs
Apache disclosed a moderate-severity vulnerability affecting Airflow versions 3.0.0 before 3.2.0 in which JWT tokens used by tasks could appear in logs. Apache said the issue could enable UI users to act as DAG authors and advised upgrading to Airflow 3.2.0.
Apr 9, 2026
Apache discloses CVE-2025-57735 affecting Airflow JWT logout behavior
Apache disclosed a low-severity vulnerability in Apache Airflow where authentication JWTs were not invalidated on logout, creating a risk that intercepted tokens could be reused. Users were advised to upgrade to Airflow 3.2.0 or later.
Apr 9, 2026
Apache Airflow 3.2.0 fixes JWT logout invalidation issue
Apache stated that Airflow 3.2 introduced token invalidation on logout, addressing CVE-2025-57735, which affected versions 3.0.0 before 3.2.0 and allowed JWTs to remain valid after logout.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
Related Stories
Apache Airflow Flaws Enable Security Bypass and Multiple Additional Vulnerabilities
German authorities issued advisories for **Apache Airflow** covering a vulnerability that can bypass security measures and a separate notice for **multiple vulnerabilities** affecting the workflow orchestration platform. The alerts indicate that Airflow deployments may be exposed to weaknesses that undermine intended protections and introduce additional security risk across affected environments. Organizations using Apache Airflow should review the referenced advisories, identify affected versions, and prioritize vendor-recommended updates or mitigations. Because Airflow is commonly used to manage automated data pipelines and scheduled jobs, successful exploitation could weaken access controls or expose connected systems and workflows to further compromise.
1 weeks ago
Apache Airflow fixes XCom-related code execution flaws in deserialization and example DAGs
Apache disclosed two low-severity code execution issues in **Apache Airflow** tied to its XCom mechanism and addressed them in **Airflow 3.2.0**. **CVE-2026-33858** affects Airflow versions `3.1.8` before `3.2.0` and stems from unsafe deserialization in the XCom API, where legacy serialization keys `__type` and `__var` can bypass protections and let a DAG author craft payloads that execute arbitrary code in the webserver context. Apache said the flaw was rated low severity because DAG authors are already treated as highly trusted users. Apache also disclosed **CVE-2025-54550**, a low-severity remote code execution issue involving the documented `example_xcom` DAG pattern. The vulnerable pattern read XCom values in a way that could allow a UI user with permission to modify XComs to trigger arbitrary code execution on a worker through a race condition. Apache said official releases were not directly affected because example DAGs are not meant to be enabled in production, but organizations that copied the documented approach could reproduce the weakness in their own deployments; updated documentation in **Airflow 3.2.0** provides a safer example.
2 weeks ago
Privilege Escalation Vulnerability in Apache StreamPipes (CVE-2025-47411)
A critical privilege escalation vulnerability, tracked as CVE-2025-47411, was discovered in Apache StreamPipes versions 0.69.0 through 0.97.0. The flaw allows legitimate non-administrator users to manipulate JWT tokens and escalate their privileges by swapping their username for an existing administrator account, thereby gaining full administrative control of the application. This vulnerability stems from a flawed user ID creation mechanism and poses significant risks, as attackers can bypass access controls without advanced technical skills or external tools. Once administrative access is obtained, attackers can access sensitive data, modify system configurations, and potentially compromise the entire data streaming infrastructure. The vulnerability is particularly concerning for organizations using StreamPipes to process proprietary or operational data, and it introduces supply chain risks if integrated with critical business systems. Apache has addressed the issue by releasing version 0.98.0, urging all affected users to update immediately to mitigate the risk.
1 months ago