Critical severity9.1NVD Advisory· Published Apr 9, 2026· Updated Apr 17, 2026

CVE-2025-57735

Description

When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+

Users are recommended to upgrade to version 3.2.0, which fixes this issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
apache-airflowPyPI	>= 3.0.0, < 3.2.0	3.2.0

Affected products

Apache/Airflow
cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
Range: >=3.0.0,<3.2.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2026/04/09/16nvdMailing ListThird Party AdvisoryWEB
github.com/advisories/GHSA-c92r-g8j5-vhcxghsaADVISORY
lists.apache.org/thread/ovn8mpd8zkc604hojt7x3wsw3kc60x98nvdMailing ListVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2025-57735ghsaADVISORY
github.com/apache/airflow/pull/56633nvdIssue TrackingWEB
github.com/apache/airflow/pull/61339nvdIssue TrackingWEB

News mentions

No linked articles in our index yet.

cvss	0.591
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000