CVE-2026-31987

Published: Apr 16, 2026

Modified: Apr 18, 2026

PUBLISHED

Description

JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue.

Vendor	Product	Versions
Apache Software Foundation	Apache Airflow	affected `3.0.0 - < 3.2.0`

Weaknesses (CWE)

CWE-532

References

https://github.com/apache/airflow/pull/62964

patch

https://github.com/apache/airflow/issues/62428

issue-tracking

https://github.com/apache/airflow/issues/62773

issue-tracking

https://lists.apache.org/thread/pvsrtxzwo9xy6xgknmwslv4zrw70kt6g

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-31987

Description

Affected Products

Weaknesses (CWE)

References