Apache Airflow: JWT token appearing in logs
Summary
| CVE | CVE-2026-31987 |
|---|---|
| State | PUBLISHED |
| Assigner | apache |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-16 14:16:13 UTC |
| Updated | 2026-04-16 19:16:33 UTC |
| Description | JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue. |
Risk And Classification
Problem Types: CWE-532 | CWE-532 CWE-532 Insertion of Sensitive Information into Log File
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Apache Software Foundation | Apache Airflow | affected 3.0.0 3.2.0 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/apache/airflow/pull/62964 | [email protected] | github.com | |
| www.openwall.com/lists/oss-security/2026/04/16/7 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| github.com/apache/airflow/issues/62773 | [email protected] | github.com | |
| github.com/apache/airflow/issues/62428 | [email protected] | github.com | |
| lists.apache.org/thread/pvsrtxzwo9xy6xgknmwslv4zrw70kt6g | [email protected] | lists.apache.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: unixengineer (en)
CNA: Jason Imison (en)
CNA: Pineapple (en)
There are currently no legacy QID mappings associated with this CVE.