—

CVE-2026-31987EXPLOITEDPATCHED

apache · airflow

Apache Airflow: JWT token appearing in logs

Description

JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue.

Affected Products

Vendor	Product	Versions
apache	airflow	3.0.0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
apache	airflow	cert_advisory	90%

References

https://github.com/apache/airflow/pull/62964(patch)
https://github.com/apache/airflow/issues/62428(issue-tracking)
https://github.com/apache/airflow/issues/62773(issue-tracking)
https://lists.apache.org/thread/pvsrtxzwo9xy6xgknmwslv4zrw70kt6g(vendor-advisory)

Related News (3 articles)

Tier B

BSI Advisories2d ago

[NEU] [mittel] Apache Airflow: Schwachstelle ermöglicht Offenlegung von Informationen

→ No new info (linked only)

Tier C

oss-security2d ago

CVE-2026-31987: Apache Airflow: JWT token appearing in logs

→ No new info (linked only)

Tier C

VulDB2d ago

CVE-2026-31987 | Apache Airflow up to 3.1.x JWT Token log file (ID 62428)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

apache-airflow@3.2.0

CWECWE-532

PublishedApr 16, 2026

Last enriched2d agov3

Trending Score46

Source articles3

Independent3

Info Completeness9/14

Missing: cvss, epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-34197EXPKEV

Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans

Trending: 116

HIGHCVE-2026-35554EXP

Apache Kafka Clients: Kafka Producer Message Corruption and Misrouting via Buffer Pool Race Condition

Trending: 39

MEDIUMCVE-2026-34479EXP

Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters

Trending: 39

MEDIUMCVE-2026-34480EXP

Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters

Trending: 39

MEDIUMCVE-2026-25219EXP

Apache Airflow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access

Trending: 36

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 16, 2026

Discovered by ZDM

Apr 16, 2026

Updated: description, affectedVersions, severity

Apr 16, 2026

Updated: severity, affectedVersions, exploitAvailable, activelyExploited

Apr 16, 2026

Actively Exploited

Apr 18, 2026

Exploit Available

Apr 18, 2026

Patch Available

Apr 18, 2026

Version History

Last enriched 2d ago

v3Tier C2d ago

Updated severity to MEDIUM, marked exploit as available, and clarified affected versions.

severityaffectedVersionsexploitAvailableactivelyExploited

via oss-security

v2Tier C2d ago

Updated description with technical details, changed affected versions to include 3.1.x, and updated severity to HIGH.

descriptionaffectedVersionsseverity

via VulDB

v12d ago

Initial creation