PYSEC-2026-187

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2026-187.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2026-187

Aliases

BIT-airflow-2026-48726
CVE-2026-48726

Published

2026-06-01T09:16:20.187Z

Modified

2026-06-05T07:56:05.330403026Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for FabAuthManager and KeycloakAuthManager did not actually reach the underlying revoke_token() call, so the JWT remained accepted by the API server until its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to make authenticated API calls as that user. Affects deployments configured with FabAuthManager or KeycloakAuthManager (the bug does not affect SimpleAuthManager). This is a residual gap in the fix for CVE-2025-57735, which addressed cookie-side invalidation in PR #57992 / PR #61339 but did not cover the provider-side revoke_token() reachability in the FAB / Keycloak code paths. Users who already upgraded for CVE-2025-57735 should additionally upgrade to apache-airflow 3.2.2 or later to cover the FAB / Keycloak logout paths.

References

Affected packages

PyPI / apache-airflow

Package

Name: apache-airflow; View open source insights on deps.dev
Purl: pkg:pypi/apache-airflow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.2.2

Affected versions

1.*

1.8.1

1.8.2rc1

1.8.2

1.9.0

1.10.0

1.10.1b1

1.10.1rc2

1.10.1

1.10.2b2

1.10.2rc1

1.10.2rc2

1.10.2rc3

1.10.2

1.10.3b1

1.10.3b2

1.10.3rc1

1.10.3rc2

1.10.3

1.10.4b2

1.10.4rc1

1.10.4rc2

1.10.4rc3

1.10.4rc4

1.10.4rc5

1.10.4

1.10.5rc1

1.10.5

1.10.6rc1

1.10.6rc2

1.10.6

1.10.7rc1

1.10.7rc2

1.10.7rc3

1.10.7

1.10.8rc1

1.10.8

1.10.9rc1

1.10.9

1.10.10rc1

1.10.10rc2

1.10.10rc3

1.10.10rc4

1.10.10rc5

1.10.10

1.10.11rc1

1.10.11rc2

1.10.11

1.10.12rc1

1.10.12rc2

1.10.12rc3

1.10.12rc4

1.10.12

1.10.13rc1

1.10.13

1.10.14rc1

1.10.14rc2

1.10.14rc3

1.10.14rc4

1.10.14

1.10.15rc1

1.10.15

2.*

2.0.0b1

2.0.0b2

2.0.0b3

2.0.0rc1

2.0.0rc2

2.0.0rc3

2.0.0

2.0.1rc1

2.0.1rc2

2.0.1

2.0.2rc1

2.0.2

2.1.0rc1

2.1.0rc2

2.1.0

2.1.1rc1

2.1.1

2.1.2rc1

2.1.2

2.1.3rc1

2.1.3

2.1.4rc1

2.1.4rc2

2.1.4

2.2.0b1

2.2.0b2

2.2.0rc1

2.2.0

2.2.1rc1

2.2.1rc2

2.2.1

2.2.2rc1

2.2.2rc2

2.2.2

2.2.3rc1

2.2.3rc2

2.2.3

2.2.4rc1

2.2.4

2.2.5rc1

2.2.5rc2

2.2.5rc3

2.2.5

2.3.0b1

2.3.0rc1

2.3.0rc2

2.3.0

2.3.1rc1

2.3.1

2.3.2rc1

2.3.2rc2

2.3.2

2.3.3rc1

2.3.3rc2

2.3.3rc3

2.3.3

2.3.4rc1

2.3.4

2.4.0b1

2.4.0rc1

2.4.0

2.4.1rc1

2.4.1

2.4.2rc1

2.4.2

2.4.3rc1

2.4.3

2.5.0rc1

2.5.0rc2

2.5.0rc3

2.5.0

2.5.1rc1

2.5.1rc2

2.5.1

2.5.2rc1

2.5.2rc2

2.5.2

2.5.3rc1

2.5.3rc2

2.5.3

2.6.0b1

2.6.0rc1

2.6.0rc2

2.6.0rc3

2.6.0rc4

2.6.0rc5

2.6.0

2.6.1rc1

2.6.1rc2

2.6.1rc3

2.6.1

2.6.2rc1

2.6.2rc2

2.6.2

2.6.3rc1

2.6.3

2.7.0b1

2.7.0rc1

2.7.0rc2

2.7.0

2.7.1rc1

2.7.1rc2

2.7.1

2.7.2rc1

2.7.2

2.7.3rc1

2.7.3

2.8.0b1

2.8.0rc1

2.8.0rc2

2.8.0rc3

2.8.0rc4

2.8.0

2.8.1rc1

2.8.1

2.8.2rc1

2.8.2rc2

2.8.2rc3

2.8.2

2.8.3rc1

2.8.3

2.8.4rc1

2.8.4

2.9.0b1

2.9.0b2

2.9.0rc1

2.9.0rc2

2.9.0rc3

2.9.0

2.9.1rc1

2.9.1rc2

2.9.1

2.9.2rc1

2.9.2

2.9.3rc1

2.9.3

2.10.0b1

2.10.0b2

2.10.0rc1

2.10.0

2.10.1rc1

2.10.1

2.10.2rc1

2.10.2

2.10.3rc1

2.10.3rc2

2.10.3

2.10.4rc1

2.10.4

2.10.5rc1

2.10.5

2.11.0rc1

2.11.0

2.11.1rc1

2.11.1rc2

2.11.1

2.11.2rc1

2.11.2

3.*

3.0.0b4

3.0.0rc1

3.0.0rc1.post1

3.0.0rc1.post2

3.0.0rc1.post3

3.0.0rc1.post4

3.0.0rc2

3.0.0rc3

3.0.0rc4

3.0.0

3.0.1rc1

3.0.1

3.0.2rc1

3.0.2rc2

3.0.2

3.0.3rc1

3.0.3rc2

3.0.3rc3

3.0.3rc4

3.0.3rc5

3.0.3rc6

3.0.3

3.0.4rc1

3.0.4rc2

3.0.4

3.0.5rc1

3.0.5rc2

3.0.5rc3

3.0.5

3.0.6rc1

3.0.6rc2

3.0.6

3.1.0b1

3.1.0b2

3.1.0rc1

3.1.0rc2

3.1.0

3.1.1rc1

3.1.1rc2

3.1.1

3.1.2rc1

3.1.2rc2

3.1.2

3.1.3rc1

3.1.3

3.1.4rc1

3.1.4rc2

3.1.4

3.1.5rc1

3.1.5

3.1.6rc1

3.1.6

3.1.7rc1

3.1.7rc2

3.1.7

3.1.8rc1

3.1.8rc2

3.1.8

3.2.0b1

3.2.0b2

3.2.0rc1

3.2.0rc2

3.2.0

3.2.1rc1

3.2.1rc2

3.2.1rc3

3.2.1

3.2.2rc1

3.2.2rc2

3.2.2rc3

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2026-187.yaml"