{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31987", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-10T18:31:09.400Z", "datePublished": "2026-04-16T13:31:52.336Z", "dateUpdated": "2026-04-18T02:28:44.770Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://pypi.python.org", "defaultStatus": "unaffected", "packageName": "apache-airflow", "product": "Apache Airflow", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "3.2.0", "status": "affected", "version": "3.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "unixengineer"}, {"lang": "en", "type": "finder", "value": "Jason Imison"}, {"lang": "en", "type": "remediation developer", "value": "Pineapple"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. <br>Users are advised to upgrade to Airflow version that contains fix.<br><br>Users are recommended to upgrade to version 3.2.0, which fixes this issue. <br><br>"}], "value": "JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. \nUsers are advised to upgrade to Airflow version that contains fix.\n\nUsers are recommended to upgrade to version 3.2.0, which fixes this issue."}], "metrics": [{"other": {"content": {"text": "Moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "CWE-532 Insertion of Sensitive Information into Log File", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-16T13:31:52.336Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/apache/airflow/pull/62964"}, {"tags": ["issue-tracking"], "url": "https://github.com/apache/airflow/issues/62428"}, {"tags": ["issue-tracking"], "url": "https://github.com/apache/airflow/issues/62773"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/pvsrtxzwo9xy6xgknmwslv4zrw70kt6g"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Airflow: JWT token appearing in logs", "x_generator": {"engine": "airflow-s/generate_cve_json.py"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/16/7"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-16T18:24:29.466Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-18T02:27:54.967201Z", "id": "CVE-2026-31987", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-18T02:28:44.770Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/16/7"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-16T18:24:29.466Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-31987", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-18T02:27:54.967201Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-18T02:28:39.231Z"}}], "cna": {"title": "Apache Airflow: JWT token appearing in logs", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "unixengineer"}, {"lang": "en", "type": "finder", "value": "Jason Imison"}, {"lang": "en", "type": "remediation developer", "value": "Pineapple"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "Moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Airflow", "versions": [{"status": "affected", "version": "3.0.0", "lessThan": "3.2.0", "versionType": "semver"}], "packageName": "apache-airflow", "collectionURL": "https://pypi.python.org", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/apache/airflow/pull/62964", "tags": ["patch"]}, {"url": "https://github.com/apache/airflow/issues/62428", "tags": ["issue-tracking"]}, {"url": "https://github.com/apache/airflow/issues/62773", "tags": ["issue-tracking"]}, {"url": "https://lists.apache.org/thread/pvsrtxzwo9xy6xgknmwslv4zrw70kt6g", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "airflow-s/generate_cve_json.py"}, "descriptions": [{"lang": "en", "value": "JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. \nUsers are advised to upgrade to Airflow version that contains fix.\n\nUsers are recommended to upgrade to version 3.2.0, which fixes this issue.", "supportingMedia": [{"type": "text/html", "value": "JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. <br>Users are advised to upgrade to Airflow version that contains fix.<br><br>Users are recommended to upgrade to version 3.2.0, which fixes this issue. <br><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "CWE-532 Insertion of Sensitive Information into Log File"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-16T13:31:52.336Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31987", "state": "PUBLISHED", "dateUpdated": "2026-04-18T02:28:44.770Z", "dateReserved": "2026-03-10T18:31:09.400Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-16T13:31:52.336Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. \nUsers are advised to upgrade to Airflow version that contains fix.\n\nUsers are recommended to upgrade to version 3.2.0, which fixes this issue."}], "id": "CVE-2026-31987", "lastModified": "2026-04-18T04:16:15.517", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-16T14:16:13.490", "references": [{"source": "security@apache.org", "url": "https://github.com/apache/airflow/issues/62428"}, {"source": "security@apache.org", "url": "https://github.com/apache/airflow/issues/62773"}, {"source": "security@apache.org", "url": "https://github.com/apache/airflow/pull/62964"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread/pvsrtxzwo9xy6xgknmwslv4zrw70kt6g"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/16/7"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.2.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache Airflow", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "airflow", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-18T09:25:32.502581+00:00", "value": {"mitigation_remediation": ["Upgrade Airflow to version 3.2.0 or later, which removes the log exposure.", "Scan existing log files for any recorded JWT tokens, delete or rotate those logs, and ensure that previous versions are cleaned.", "Adjust the logging configuration to mask or omit sensitive fields such as JWTs in future logs."], "summary": {"action": "Patch", "impact": "Privilege Escalation via exposed JWT tokens"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of Apache Airflow maintained by the Apache Software Foundation. Versions prior to 3.2.0 have not applied the fix, so any release older than 3.2.0 is susceptible.", "description_and_impact": "JWT tokens used by Apache Airflow tasks were recorded in log files. Anyone who can read these logs, such as a UI user, would obtain a token that grants the authority of a Dag Author. Using that token, an attacker could create, modify, or delete DAG definitions, potentially injecting malicious code or causing unauthorized data processing.", "risk_and_exploitability": "The EPSS score is < 1%, indicating a low likelihood of exploitation, and the issue is not listed in the KEV catalog, so official exploitation data is sparse. The attack vector is inferred to be through the Airflow UI or any process that reads the application logs; thus, individuals with log access pose a risk. The CVSS score is 7.5, reflecting a moderate to high impact if exploited."}}}}, "created": "2026-04-16T15:30:06.054751+00:00", "updated": "2026-04-18T09:30:25.691112+00:00", "vendors": ["apache", "apache$PRODUCT$airflow"]}