VYPR
Medium severity6.5NVD Advisory· Published Jun 1, 2026· Updated Jun 3, 2026

CVE-2026-48726

CVE-2026-48726

Description

A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for FabAuthManager and KeycloakAuthManager did not actually reach the underlying revoke_token() call, so the JWT remained accepted by the API server until its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to make authenticated API calls as that user. Affects deployments configured with FabAuthManager or KeycloakAuthManager (the bug does not affect SimpleAuthManager). This is a residual gap in the fix for CVE-2025-57735, which addressed cookie-side invalidation in PR #57992 / PR #61339 but did not cover the provider-side revoke_token() reachability in the FAB / Keycloak code paths. Users who already upgraded for CVE-2025-57735 should additionally upgrade to apache-airflow 3.2.2 or later to cover the FAB / Keycloak logout paths.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Apache/Airflow2 versions
    cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*range: <3.2.2
    • (no CPE)range: >=3.2.2
  • osv-coords
    Range: < 3.2.2

Patches

Vulnerability mechanics

References

3

News mentions

1