CVE-2026-45426: Apache Airflow Log-Server JWT Validation Flaw Enables Cross-Dag Access
Apache Airflow's log server uses a flawed string-matching approach to authorize workers' access to task logs. Instead of checking if a worker's JWT token matches a specific Dag name exactly, the system strips characters from the left side of requested Dag names in a way that can match multiple unintended Dags. An authenticated worker with a token for 'dag_a' could read logs from 'dag_attacker', 'aaaa_target', or '_dag_secret'—any Dag whose name starts with characters found in 'dag_a'. This breaks the intended per-Dag log isolation in multi-team environments.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.1 LOW · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-863
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued for at least one Dag. Apache Airflow's Log server authorized JWT tokens against Dag IDs by applying Python's `str.lstrip()` to the requested path segment when verifying the JWT's `sub` claim. `str.lstrip()` strips any of a *set* of characters from the left (not a prefix), so a JWT issued for a Dag named e.g. `dag_a` would authorize log access to any other Dag whose name began with any subset of the characters `{d, a, g, _}` (e.g. `dag_attacker`, `aaaa_target`, `_dag_secret`). Such an authenticated worker could enumerate and read worker logs of other Dags whose names happened to share that character-class prefix, leaking task output and error traces beyond the documented per-Dag isolation boundary. Affects deployments relying on per-Dag log-access scoping (multi-team, shared-executor, shared-worker topologies). Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from misuse of Python's `str.lstrip()` during JWT token validation in Airflow's log server. The function strips any character from a set rather than matching a prefix, so validating a JWT with `sub` claim 'dag_a' against a requested path checks whether the path starts with any combination of {d, a, g, _}. This character-class matching rather than exact-prefix matching allows a worker with valid credentials for one Dag to enumerate and access logs from other Dags whose names happen to begin with overlapping characters. The flaw affects deployments where per-Dag log access scoping is relied upon for isolation, particularly multi-tenant, shared-executor, or shared-worker topologies.
Business impact
In multi-team or shared-executor environments, this flaw enables unauthorized information disclosure across Dag boundaries. Workers can read task output, error traces, and sensitive logs from other teams' or departments' Dags, potentially exposing credentials, data processing details, or business logic embedded in logs. While the vulnerability does not allow code execution or data modification, the breach of logical isolation undermines the security model for organizations that rely on Dag-level access control to enforce data compartmentalization.
Affected systems
Apache Airflow versions prior to 3.2.2 are affected. The vulnerability specifically impacts deployments using the log server with per-Dag JWT authorization, particularly those with multiple teams or users sharing workers. Single-tenant or tightly controlled single-team deployments have lower exposure, but any multi-user Airflow installation relying on per-Dag log isolation should be considered at risk.
Exploitability
Exploitation requires an attacker to already possess a valid, authenticated Airflow worker account with a Log-server JWT token issued for at least one Dag. The attacker cannot gain initial access via this flaw; they must have legitimate credentials. Given that prerequisite, discovering and reading logs from other Dags is trivial—character-class matching means no complex enumeration is needed, only requests to Dag names that share a character prefix. The CVSS score of 3.1 (LOW) reflects the requirement for prior authentication and the limited scope of impact (information disclosure only).
Remediation
Upgrade Apache Airflow to version 3.2.2 or later. The patch corrects the JWT validation logic to use proper prefix matching or exact string comparison instead of `str.lstrip()`. Organizations should test the upgrade in a non-production environment first, particularly those with custom authentication or log-server integrations. No configuration changes or workarounds are documented as substitutes for patching.
Patch guidance
Consult the official Apache Airflow release notes and security advisory for version 3.2.2 to verify compatibility with your deployment. Review any custom Dag naming conventions or access control overlays you may have implemented, as the fix may affect their behavior. Plan the upgrade during a maintenance window to account for potential worker restarts. If you are running a version substantially older than 3.2.2, consider whether intermediate patch versions exist and test accordingly.
Detection guidance
Monitor Airflow log-server access logs for requests from a single worker to multiple Dags whose names share character prefixes but are owned by different teams or users. Look for patterns such as a worker token issued for 'dag_a' accessing logs for 'aaaa_target', 'dag_attacker', '_dag_secret', etc. Examine worker JWT tokens and their `sub` claims to identify which Dags each token is authorized for, then cross-reference against actual log requests in access logs. Increased cross-Dag log enumeration by a single worker may indicate exploitation.
Why prioritize this
This vulnerability merits timely but not emergency patching. The CVSS score is LOW, exploitation requires pre-existing authentication, and impact is limited to log disclosure. However, in multi-team or regulated environments where per-Dag isolation is a documented security control, the breach of that control is material and should not be deferred indefinitely. Prioritize based on your reliance on Dag-level access scoping; single-tenant or air-gapped deployments can defer longer than shared-executor environments handling sensitive workloads.
Risk score, explained
The CVSS 3.1 score of 3.1 reflects a Low severity due to the required authenticated access (PR:L), high attack complexity in discovering the flawed behavior (AC:H), and limited impact scope—confidentiality is compromised (C:L) but integrity and availability are unaffected (I:N, A:N). The network-accessible attack vector (AV:N) partially offsets the access requirements. The low score appropriately captures that this is an information-disclosure issue within a trusted-user model rather than a critical system compromise.
Frequently asked questions
Do we need to patch if we only have one team or user using Airflow?
Single-team or single-user deployments have minimal exposure because the attacker and victim are the same logical entity—there is no competing Dag owner to target. However, if you manage multiple environments (dev, staging, prod) or have service accounts with broad permissions, character-class overlap could still leak sensitive logs. Patching is still recommended for completeness, but urgency is lower.
Will upgrading to 3.2.2 break our existing Dag access tokens?
The patch corrects the validation logic to use proper prefix or exact matching. If your Dag naming convention relies on the buggy character-class behavior (which would be unusual), tokens may behave differently post-patch. Review your naming scheme and test in a staging environment. Contact the Apache Airflow community or your vendor support for guidance on any custom integrations.
Can we mitigate this without patching?
There is no documented configuration or workaround that replaces the patch. You can reduce risk by restricting which workers receive JWT tokens, using strict Dag naming conventions that avoid character-class overlaps, or segregating teams into separate Airflow instances. These do not eliminate the underlying flaw but may reduce exposure. Patching remains the authoritative fix.
How do we know if this was exploited in our environment?
Audit your log-server access logs for suspicious cross-Dag requests by individual workers, particularly requests to Dags owned by different teams or users. Compare worker JWT `sub` claims against the Dags they accessed; look for mismatches indicating character-class abuse. If you have no centralized logging, enable it immediately and review the past 90 days of access patterns. Consider engaging a forensics team if you suspect compromise.
This analysis is based on the CVE record and publicly available advisory information as of the publication date. Security characteristics, patch availability, and risk profiles may change. Organizations should verify patch version numbers, compatibility, and deployment impact against official Apache Airflow documentation and security advisories. This page does not constitute legal, compliance, or professional security advice; consult your security team or vendor for guidance tailored to your infrastructure. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-40914MEDIUMApache Artemis STOMP Protocol Authorization Bypass
- CVE-2025-14774HIGHABB T-MAC Plus Denial-of-Service Vulnerability (CVSS 7.4)
- CVE-2025-32348HIGHAndroid Local Privilege Escalation via Missing Permission Check
- CVE-2026-10211MEDIUMAstrBot 4.23.6 Path Normalization Authorization Bypass
- CVE-2026-10616MEDIUMAuthorization Bypass in nextlevelbuilder GoClaw Task Completion
- CVE-2026-10815MEDIUMAuthorization Bypass in Hostel Management System PHP
- CVE-2026-10860MEDIUMMISP Delete Validation Bypass – Logic Error in HTTP DELETE Handler
- CVE-2026-32906MEDIUMOpenClaw Privilege Escalation in Slack Plugin Approvals