MEDIUM 6.5

CVE-2026-48726: Apache Airflow JWT Token Revocation Bypass in FAB and Keycloak Logout

Apache Airflow has a logout bypass vulnerability where JWT tokens remain valid after users log out through the web UI. When users click logout, the system fails to properly revoke their authentication tokens in deployments using FAB (Flask-AppBuilder) or Keycloak authentication. An attacker with a stolen or previously-issued JWT can continue making authenticated API calls as that logged-out user until the token naturally expires. This is a follow-up to an earlier fix that patched cookies but missed the JWT revocation paths in these two authentication modules.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-613
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not actually reach the underlying `revoke_token()` call, so the JWT remained accepted by the API server until its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to make authenticated API calls as that user. Affects deployments configured with `FabAuthManager` or `KeycloakAuthManager` (the bug does not affect SimpleAuthManager). This is a residual gap in the fix for CVE-2025-57735, which addressed cookie-side invalidation in PR #57992 / PR #61339 but did not cover the provider-side `revoke_token()` reachability in the FAB / Keycloak code paths. Users who already upgraded for CVE-2025-57735 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the FAB / Keycloak logout paths.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in Apache Airflow's `FabAuthManager` and `KeycloakAuthManager` implementations, which do not properly invoke the underlying `revoke_token()` method during logout. While the prior CVE-2025-57735 fix addressed cookie invalidation through PRs #57992 and #61339, it did not remediate the token revocation logic in the authentication provider code paths. When a user initiates logout via the UI, the JWT remains in the API server's accepted token list until its natural expiry window closes. SimpleAuthManager is not affected. The vulnerability requires an authenticated or previously-authenticated user and does not involve network-level complexity—standard JWT bearer tokens can be replayed post-logout.

Business impact

An attacker who captures or maintains a copy of a logged-out user's JWT token can continue to impersonate that user for API automation, data exfiltration, or workflow manipulation until token expiry (often hours or days). For organizations running DAG-heavy Airflow instances or using Airflow API for mission-critical scheduling, this creates a window of unauthorized access that may go undetected if audit logs are incomplete. Compliance frameworks (SOC 2, HIPAA, PCI-DSS) typically require session termination to be immediate; this gap violates those expectations.

Affected systems

Only Apache Airflow deployments explicitly configured with `FabAuthManager` or `KeycloakAuthManager` are vulnerable. The vulnerability does not affect deployments using SimpleAuthManager. Any Airflow 2.x or 3.x version prior to 3.2.2 that uses one of the affected authentication managers is in scope. Organizations running air-gapped or internal Airflow instances with either of these auth backends should treat this as urgent; externally-exposed Airflow instances with these auth types are at elevated risk.

Exploitability

Exploitability is straightforward if an attacker has obtained a user's JWT token (through social engineering, application logs, memory dumps, or network interception before logout). No new authentication is required once the token is captured—standard API calls using the Bearer token will succeed. However, the attack requires a precondition: either an attacker must capture the token before logout, or a user must be socially engineered into sharing it. The attack surface is primarily internal (API consumers, automation scripts) unless Airflow APIs are exposed to untrusted networks. The CVSS score of 6.5 (MEDIUM) reflects the requirement for prior low-privilege authentication plus the high confidentiality impact if tokens are compromised.

Remediation

Upgrade to Apache Airflow 3.2.2 or later. If you previously patched CVE-2025-57735, this additional upgrade is necessary to close the FAB and Keycloak logout code paths. Organizations unable to upgrade immediately should implement network-level token revocation by rotating or invalidating JWTs at the Keycloak or identity provider level on logout, or by temporarily blocking known-compromised token IDs at the API gateway. Monitor API call patterns post-logout for anomalies (e.g., automation continuing under a user's ID after they clock out).

Patch guidance

Apply Apache Airflow 3.2.2 or any later 3.x version. Verify your current version with `airflow version`. If you are on 2.x, check with your vendor for backported patches or plan a timeline for upgrade to 3.2.2 LTS. Test the logout flow in a staging environment to confirm tokens are properly revoked—inspect API logs to ensure no requests succeed with invalidated bearer tokens post-logout. If using Keycloak, also verify that your Keycloak token revocation endpoint is reachable and configured in your Airflow environment variables.

Detection guidance

Search your API access logs for Bearer token reuse after a user's recorded logout timestamp. Cross-reference logout events (typically in Airflow's security or UI audit logs) with subsequent API calls using the same Authorization header. Implement alerting for any API calls that arrive after a user's logout event in the same session or from the same token ID. Network-based detection: look for JWT tokens in your proxy or WAF logs that are being replayed beyond their expected session lifetime. If using Keycloak or FAB, enable token revocation audit logging at the provider level.

Why prioritize this

Although the CVSS score is MEDIUM, this vulnerability is a **regression** or incomplete fix for a prior critical session management issue (CVE-2025-57735). Organizations that already deployed patches for the previous CVE should prioritize this follow-up immediately to prevent security control bypass. Token-stealing attacks are common in Airflow environments because DAGs and automation often embed credentials or tokens. The logical next step for an attacker who has captured a token is to use it after the victim logs out—this vulnerability directly enables that attack path.

Risk score, explained

CVSS 6.5 reflects: (1) Network-accessible API (AV:N), (2) Low attack complexity with standard token replay (AC:L), (3) Requirement for low-level authenticated or previously-authenticated context (PR:L), (4) No user interaction needed for the attack itself (UI:N), (5) Unauthorized scope unchanged (S:U), (6) High confidentiality impact (C:H) due to continued API access as a privileged user, and (7) No integrity or availability impact during the token window (I:N, A:N). The score does not escalate to HIGH because it requires preconditions (token capture) and is time-bound by token expiry, but it should not be underestimated in environments where DAGs contain secrets or access sensitive data.

Frequently asked questions

Do I need to patch this if I have already patched CVE-2025-57735?

Yes. CVE-2025-57735 fixed cookie-based session invalidation but did not address JWT token revocation in the FAB and Keycloak authentication paths. This CVE-2026-48726 specifically targets the missed code paths. If you use either FAB or Keycloak, you must upgrade to 3.2.2 to fully remediate logout bypass.

My organization uses SimpleAuthManager. Are we affected?

No. SimpleAuthManager is not affected by this vulnerability. Only deployments configured with FabAuthManager or KeycloakAuthManager need to apply the patch.

What happens if an attacker holds a JWT after a user logs out?

The attacker can make authenticated API calls to Airflow's REST API as that user until the JWT naturally expires (typically hours or days later, depending on your token TTL settings). This could be used to trigger DAGs, read variables, or modify configurations with the victim's permissions.

How can I validate that our logout is working correctly after patching?

In a staging environment, obtain a valid JWT for a test user, log that user out via the UI, then immediately attempt an API call with that JWT. It should fail with a 401 Unauthorized response. If it succeeds, the patch did not apply or revocation is misconfigured. Also check your Airflow and Keycloak/FAB audit logs to confirm revoke_token() is being called during logout.

This analysis is provided for informational purposes. Always verify patch versions, CVE details, and vendor advisories against the official Apache Airflow release notes and security bulletins before deploying. CVSS scores and affected versions are derived from the published CVE record; test thoroughly in a non-production environment before applying patches to production Airflow instances. This vulnerability requires either prior authentication or token capture; isolated air-gapped Airflow deployments may face lower real-world risk than internet-facing instances. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).