CVE-2026-31987 PUBLISHED

Apache Airflow: JWT token appearing in logs

Assigner: apache
Reserved: 10.03.2026 Published: 16.04.2026 Updated: 16.04.2026

JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix.

Users are recommended to upgrade to version 3.2.0, which fixes this issue.

Product Status

Vendor	Apache Software Foundation
Product	Apache Airflow
Versions	Default: unaffected affected from 3.0.0 to 3.2.0 (excl.)

Credits

unixengineer finder
Jason Imison finder
Pineapple remediation developer

References

https://github.com/apache/airflow/pull/62964
https://github.com/apache/airflow/issues/62428
https://github.com/apache/airflow/issues/62773
https://lists.apache.org/thread/pvsrtxzwo9xy6xgknmwslv4zrw70kt6g

Problem Types

CWE-532 Insertion of Sensitive Information into Log File CWE