Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
Airflow: Exposed Tokens Allow UI Users to Act as Dag Authors
CVE-2026-31987
GHSA-phv5-vq5p-qhp7
Summary
Airflow's task logs revealed sensitive information, potentially allowing unauthorized users to create workflows as if they were administrators. This could lead to data breaches or unauthorized changes. To fix this, update to the latest version of Airflow.
What to do
- Update apache-airflow to version 3.2.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| pip | – | apache-airflow |
>= 3.0.0, < 3.2.0 Fix: upgrade to 3.2.0
|
Original title
JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors.
Users are advised to upgrade to Airflow version that contains fix.
Users are recommended to upgrade...
Original description
JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors.
Users are advised to upgrade to Airflow version that contains fix.
Users are recommended to upgrade to version 3.2.0, which fixes this issue.
Users are advised to upgrade to Airflow version that contains fix.
Users are recommended to upgrade to version 3.2.0, which fixes this issue.
Vulnerability type
CWE-532
Insertion of Sensitive Information into Log File
- https://github.com/apache/airflow/issues/62428
- https://github.com/apache/airflow/issues/62773
- https://github.com/apache/airflow/pull/62964
- https://lists.apache.org/thread/pvsrtxzwo9xy6xgknmwslv4zrw70kt6g
- https://nvd.nist.gov/vuln/detail/CVE-2026-31987
- http://www.openwall.com/lists/oss-security/2026/04/16/7
- https://github.com/advisories/GHSA-phv5-vq5p-qhp7
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 16 Apr 2026