CVE-2026-31987

7.5 HIGH
Published: April 16, 2026 Modified: April 20, 2026
View on NVD

Description

JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/apache/airflow/issues/62428
Source: security@apache.org
Issue Tracking
https://github.com/apache/airflow/issues/62773
Source: security@apache.org
Issue Tracking
https://github.com/apache/airflow/pull/62964
Source: security@apache.org
Issue Tracking Third Party Advisory Patch
https://lists.apache.org/thread/pvsrtxzwo9xy6xgknmwslv4zrw70kt6g
Source: security@apache.org
Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/04/16/7
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Third Party Advisory

5 reference(s) from NVD

Quick Stats

CVSS v3 Score
7.5 / 10.0
EPSS (Exploit Probability)
0.1%
30th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-532

Affected Vendors

apache

Related CVEs

CVE-2026-6704 6.1
CVE-2026-6702 6.1
CVE-2026-6701 4.3
CVE-2026-6700 4.3
CVE-2026-6696 6.1