High Severity Vulnerability
This vulnerability has been rated as High severity. Immediate action is recommended.
CVE-2026-31987
High
Low
Medium
High
Critical
7.5
CVSS Score
Vulnerability Description
JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors.
Users are advised to upgrade to Airflow version that contains fix.
Users are recommended to upgrade to version 3.2.0, which fixes this issue.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
N
Attack Complexity
L
Privileges Required
N
User Interaction
N
Scope
U
Confidentiality
H
Integrity
N
Availability
N
Known Affected Software
14 configuration(s) from 1 vendor(s)
airflow
Version:
3.1.5
CPE:
cpe:2.3:a:apache:airflow:3.1.5:-:*:*:*:*:*:*
airflow
Version:
3.0.0
CPE:
cpe:2.3:a:apache:airflow:3.0.0:rc4:*:*:*:*:*:*
airflow
Version:
3.0.3
CPE:
cpe:2.3:a:apache:airflow:3.0.3:-:*:*:*:*:*:*
airflow
Version:
3.1.6
CPE:
cpe:2.3:a:apache:airflow:3.1.6:-:*:*:*:*:*:*
airflow
Version:
3.1.3
CPE:
cpe:2.3:a:apache:airflow:3.1.3:-:*:*:*:*:*:*
airflow
Version:
3.1.1
CPE:
cpe:2.3:a:apache:airflow:3.1.1:-:*:*:*:*:*:*
airflow
Version:
3.0.2
CPE:
cpe:2.3:a:apache:airflow:3.0.2:-:*:*:*:*:*:*
airflow
Version:
3.0.5
CPE:
cpe:2.3:a:apache:airflow:3.0.5:-:*:*:*:*:*:*
airflow
Version:
3.0.6
CPE:
cpe:2.3:a:apache:airflow:3.0.6:-:*:*:*:*:*:*
airflow
Version:
3.1.2
CPE:
cpe:2.3:a:apache:airflow:3.1.2:rc1:*:*:*:*:*:*
airflow
Version:
3.1.0
CPE:
cpe:2.3:a:apache:airflow:3.1.0:-:*:*:*:*:*:*
airflow
Version:
3.1.4
CPE:
cpe:2.3:a:apache:airflow:3.1.4:rc1:*:*:*:*:*:*
airflow
Version:
3.0.4
CPE:
cpe:2.3:a:apache:airflow:3.0.4:-:*:*:*:*:*:*
airflow
Version:
3.0.1
CPE:
cpe:2.3:a:apache:airflow:3.0.1:-:*:*:*:*:*:*
This vulnerability affects 14 software configuration(s). Ensure you patch all affected systems.
References & Resources
-
https://github.com/apache/airflow/issues/62428security@apache.org Issue Tracking
-
https://github.com/apache/airflow/issues/62773security@apache.org Issue Tracking
-
https://github.com/apache/airflow/pull/62964security@apache.org Issue Tracking Third Party Advisory Patch
-
https://lists.apache.org/thread/pvsrtxzwo9xy6xgknmwslv4zrw70kt6gsecurity@apache.org Mailing List Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2026/04/16/7af854a3a-2127-422b-91ae-364da2661108 Mailing List Third Party Advisory
Severity Details
7.5
out of 10.0
High
Weakness Type (CWE)
CWE-532
Insertion of Sensitive Information into Log File
- Description
- The product writes sensitive information to a log file.
- Exploit Likelihood
- Medium
- Typical Severity
- Medium
- Abstraction Level
- Base
Key Information
- Published Date
- April 16, 2026
