Home

Description

When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+ Users are recommended to upgrade to version 3.2.0, which fixes this issue.

PUBLISHED Reserved 2025-08-18 | Published 2026-04-09 | Updated 2026-04-09 | Assigner apache

Problem types

CWE-613: Insufficient Session Expiration

Product status

Default status
unaffected

3.0.0 (semver) before 3.2.0
affected

Credits

Saurabh Banawar finder

Anish Giri remediation developer

vincent beck remediation developer

References

github.com/apache/airflow/pull/61339 patch

github.com/apache/airflow/pull/56633 patch

lists.apache.org/thread/ovn8mpd8zkc604hojt7x3wsw3kc60x98 vendor-advisory

cve.org (CVE-2025-57735)

nvd.nist.gov (CVE-2025-57735)

Download JSON