CVE-2026-31987

HIGH

Apache Airflow: JWT token appearing in logs

Title source: cna

Description

JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue.

References (5)

[Patch] https://github.com/apache/airflow/pull/62964

[Issue Tracking] https://github.com/apache/airflow/issues/62428

[Issue Tracking] https://github.com/apache/airflow/issues/62773

[Vendor Advisory] https://lists.apache.org/thread/pvsrtxzwo9xy6xgknmwslv4zrw70kt6g

[Mailing List] http://www.openwall.com/lists/oss-security/2026/04/16/7

Scores

CVSS v3 7.5

EPSS 0.0012

EPSS Percentile 29.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-532

Status published

Products (3)

apache/airflow 3.0.0 - 3.2.0

Apache Software Foundation/Apache Airflow 3.0.0 - 3.2.0

pypi/apache-airflow 3.0.0 - 3.2.0PyPI

Published Apr 16, 2026

Tracked Since Apr 16, 2026