High severity7.5NVD Advisory· Published Apr 16, 2026· Updated Apr 20, 2026
CVE-2026-31987
CVE-2026-31987
Description
JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix.
Users are recommended to upgrade to version 3.2.0, which fixes this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-airflowPyPI | >= 3.0.0, < 3.2.0 | 3.2.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- www.openwall.com/lists/oss-security/2026/04/16/7nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-phv5-vq5p-qhp7ghsaADVISORY
- github.com/apache/airflow/pull/62964nvdIssue TrackingThird Party AdvisoryPatchWEB
- lists.apache.org/thread/pvsrtxzwo9xy6xgknmwslv4zrw70kt6gnvdMailing ListVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-31987ghsaADVISORY
- github.com/apache/airflow/issues/62428nvdIssue TrackingWEB
- github.com/apache/airflow/issues/62773nvdIssue TrackingWEB
News mentions
0No linked articles in our index yet.