CVE-2026-31987 | THREATINT

Description

JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue.

PUBLISHED Reserved 2026-03-10 | Published 2026-04-16 | Updated 2026-04-18 | Assigner apache

Problem types

CWE-532 Insertion of Sensitive Information into Log File

Product status

Default status

unaffected

3.0.0 (semver) before 3.2.0

affected

Credits

unixengineer finder

Jason Imison finder

Pineapple remediation developer

References

www.openwall.com/lists/oss-security/2026/04/16/7

github.com/apache/airflow/pull/62964 patch

github.com/apache/airflow/issues/62428 issue-tracking

github.com/apache/airflow/issues/62773 issue-tracking

lists.apache.org/thread/pvsrtxzwo9xy6xgknmwslv4zrw70kt6g vendor-advisory

cve.org (CVE-2026-31987)

nvd.nist.gov (CVE-2026-31987)

Download JSON