PYSEC-2026-2352

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2026-2352.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2352
Aliases
Published
2026-07-13T15:02:48.921766Z
Modified
2026-07-13T16:42:46.916265698Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Apache Airflow: JWT token appearing in logs
Details

JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix.

Users are recommended to upgrade to version 3.2.0, which fixes this issue.

References

Affected packages

PyPI / apache-airflow

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.2.0

Affected versions

3.*
3.0.0
3.0.1rc1
3.0.1
3.0.2rc1
3.0.2rc2
3.0.2
3.0.3rc1
3.0.3rc2
3.0.3rc3
3.0.3rc4
3.0.3rc5
3.0.3rc6
3.0.3
3.0.4rc1
3.0.4rc2
3.0.4
3.0.5rc1
3.0.5rc2
3.0.5rc3
3.0.5
3.0.6rc1
3.0.6rc2
3.0.6
3.1.0b1
3.1.0b2
3.1.0rc1
3.1.0rc2
3.1.0
3.1.1rc1
3.1.1rc2
3.1.1
3.1.2rc1
3.1.2rc2
3.1.2
3.1.3rc1
3.1.3
3.1.4rc1
3.1.4rc2
3.1.4
3.1.5rc1
3.1.5
3.1.6rc1
3.1.6
3.1.7rc1
3.1.7rc2
3.1.7
3.1.8rc1
3.1.8rc2
3.1.8
3.2.0b1
3.2.0b2
3.2.0rc1
3.2.0rc2

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2026-2352.yaml"