HIGH 8.8

CVE-2026-49298: Apache Airflow KubernetesExecutor JWT Token Exposure in Pod Specs

Apache Airflow's KubernetesExecutor has a credential exposure bug where JWT tokens used by worker pods to authenticate against the Execution API are inadvertently visible in Kubernetes pod specifications. An attacker with read-only access to the Airflow namespace in Kubernetes (a common access level) can retrieve these tokens from standard `kubectl describe pod` commands and then use them to execute privileged API operations—such as triggering DAG runs, clearing runs, or modifying Variables, Connections, and XComs—without needing direct task execution privileges. This vulnerability only affects deployments using the KubernetesExecutor. The fix requires upgrading both the airflow-providers-cncf-kubernetes package (if not already done per CVE-2026-27173) and the core apache-airflow package to close complementary attack surfaces.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-538
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A bug in Apache Airflow's KubernetesExecutor caused JWT tokens used by worker pods to authenticate against the Execution API to be passed to the worker container as command-line arguments visible in the pod spec. An authenticated UI/API user with Kubernetes read-only access to the cluster (e.g. `pods/get` in the Airflow namespace) could harvest the JWT from `kubectl describe pod` output and then call state-mutating Execution API endpoints — triggering Dag runs, clearing runs, reading or writing Variables / Connections / XComs — as if they were a running task. Affects deployments using the `KubernetesExecutor`. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. This is the airflow-core half of the same vulnerability addressed by [CVE-2026-27173](https://www.cve.org/CVERecord?id=CVE-2026-27173), which shipped the apache-airflow-providers-cncf-kubernetes side of the fix. Deployments that already upgraded `apache-airflow-providers-cncf-kubernetes` to 10.17.0 or later per the CVE-2026-27173 advisory should additionally upgrade `apache-airflow` to 3.2.2 or later to close the core-side surface — the two fixes are complementary, not duplicates.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from JWT tokens being passed as command-line arguments to worker container specs in Kubernetes pods, rendering them visible in the pod specification object stored in etcd and retrievable via kubectl. An authenticated principal with `pods/get` permissions (or equivalent list/describe access) in the Airflow namespace can extract these tokens and replay them against the Execution API without additional authentication. This allows state-mutating operations (triggering runs, clearing runs, modifying task-related data) that would normally require task-context authorization. The root cause is insufficient credential handling in the KubernetesExecutor's pod template construction. Remediation involves two complementary patches: apache-airflow-providers-cncf-kubernetes 10.17.0+ (which modifies how credentials are injected into pods) and apache-airflow 3.2.2+ (which addresses the core Execution API side). Both upgrades are necessary to fully eliminate the exposure.

Business impact

Attackers with even minimal Kubernetes namespace read permissions can now escalate to arbitrary workflow manipulation and data exfiltration. This is particularly damaging in multi-tenant or federated environments where Kubernetes read access is widely distributed—e.g., developers, platform engineers, or monitoring tools. The ability to trigger DAG runs, clear run history, or modify Variables and Connections can disrupt critical data pipelines, introduce backdoors into workflow logic, or expose sensitive credentials stored in Airflow's metadata layer. For organizations running sensitive ETL, analytics, or orchestration workloads, this represents a significant insider-risk and lateral-movement vector.

Affected systems

Only Apache Airflow deployments using the KubernetesExecutor are affected. Organizations using other executors (LocalExecutor, CeleryExecutor, etc.) are not exposed by this vulnerability. Affected versions are those prior to apache-airflow 3.2.2. The vulnerability is present regardless of whether airflow-providers-cncf-kubernetes has already been patched, because the core package also participates in credential handling. Deployments that have already upgraded airflow-providers-cncf-kubernetes to 10.17.0+ per CVE-2026-27173 are not fully protected until the core airflow package is also upgraded.

Exploitability

Exploitability is relatively straightforward for an attacker with Kubernetes namespace read access. No exploit code, privilege escalation, or social engineering is required beyond standard kubectl commands. The attack surface is live as long as worker pods are running, making the window of exposure continuous in active Airflow clusters. However, the attacker must already be authenticated to the Kubernetes API and have been granted read permissions—this is not an unauthenticated or pre-auth vulnerability. In environments with strict Kubernetes RBAC policies that limit namespace visibility, exposure may be reduced, though best practice should assume the worst case.

Remediation

Upgrade apache-airflow to version 3.2.2 or later. Organizations that have already applied the CVE-2026-27173 fix (airflow-providers-cncf-kubernetes 10.17.0+) must still perform this upgrade, as the two patches are complementary and address different parts of the credential-handling pipeline. Verify that both packages are at the required versions before considering the vulnerability resolved. No configuration changes or workarounds are known; patching is the only remediation path. Plan upgrades during a maintenance window to avoid disruption to running DAGs.

Patch guidance

Obtain apache-airflow 3.2.2 or later from the official Python Package Index (PyPI) or your organization's artifact repository. Consult the Apache Airflow release notes and migration guide to verify compatibility with your current version and any customizations. If your deployment also uses airflow-providers-cncf-kubernetes, ensure it is at version 10.17.0 or later (per CVE-2026-27173) before or concurrently with the core upgrade. Test the upgrade in a staging environment that mirrors your production KubernetesExecutor configuration, including worker pod templates and authentication settings. After upgrade, restart or redeploy Airflow scheduler and webserver services, and allow any running worker pods to drain gracefully before redeploying them with the patched version.

Detection guidance

Monitor for suspicious use of the Execution API endpoints by reviewing Airflow webserver logs and audit trails for unexpected DAG triggers, run clears, or Variable/Connection modifications. In Kubernetes, audit logs can reveal unexpected `pods/get` or `pods/list` API calls followed by suspicious activity within the Airflow cluster. If available, use a service mesh (e.g., Istio) or API gateway to log and alert on Execution API calls from unexpected service accounts. Additionally, review Kubernetes RBAC policies to identify and audit which identities have namespace read access; consider tightening permissions to a minimal set. Look for JWT token artifacts in pod descriptions or logs if you suspect compromise. Implement network policies to restrict which services can call the Execution API.

Why prioritize this

This is a HIGH-severity vulnerability (CVSS 8.8) combining a credible attack path with significant blast radius. The prerequisite for exploitation—Kubernetes read access—is common in federated and multi-tenant cloud environments. The ability to mutate workflow state and access sensitive data stored in Airflow (Variables, Connections, XComs) directly affects confidentiality, integrity, and availability of data pipelines. The fix is straightforward and low-risk, making this an ideal candidate for urgent patching. Organizations should prioritize this within their next maintenance window, particularly if their Airflow clusters handle critical or sensitive data, or if Kubernetes namespace access is distributed across development teams.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects: attack vector Network (AV:N) because the Execution API is network-accessible; low attack complexity (AC:L) because no special conditions are needed beyond standard kubectl commands; low privilege required (PR:L) because an authenticated Kubernetes user is needed but read-only access is sufficient; no user interaction (UI:N); unchanged scope (S:U); and high impact across confidentiality, integrity, and availability (C:H/I:H/A:H) because an attacker can read sensitive data, modify workflow state, and disrupt pipeline availability. The score appropriately reflects the severity but notes that exploitation requires prior Kubernetes access, which is a mitigating factor in isolated or air-gapped deployments.

Frequently asked questions

Does this affect Airflow deployments using executors other than KubernetesExecutor?

No. This vulnerability is specific to the KubernetesExecutor. Deployments using LocalExecutor, CeleryExecutor, SequentialExecutor, or other non-Kubernetes executors are not affected. Verify your executor configuration in airflow.cfg (setting `executor = KubernetesExecutor`) to determine if you are exposed.

We already upgraded airflow-providers-cncf-kubernetes per CVE-2026-27173. Are we still vulnerable?

Yes. The two vulnerabilities address complementary parts of the credential-handling pipeline. Upgrading only airflow-providers-cncf-kubernetes closes one attack surface but leaves the core airflow package vulnerable. Both upgrades (airflow-providers-cncf-kubernetes 10.17.0+ and apache-airflow 3.2.2+) are required to fully remediate. Verify both package versions after upgrade.

Can we mitigate this without upgrading if we restrict Kubernetes RBAC?

Restricting Kubernetes RBAC to deny namespace read access to all but essential identities will reduce exposure, but this is not a complete mitigation. It does not address the underlying credential-exposure bug and may be operationally difficult to enforce consistently. Patching is the only reliable remediation.

How do we know if this vulnerability has been exploited in our environment?

Check Airflow webserver logs and audit trails for unexpected DAG triggers, run clears, or Variable/Connection modifications, particularly if correlated with kubectl commands from unusual service accounts. Kubernetes audit logs can reveal `pods/get` calls followed by suspicious Execution API activity. If you suspect breach, review all Variables and Connections for unauthorized changes and rotate any credentials stored there as a precaution.

This analysis is based on the CVE record and vendor advisory as of the published date. Organizations should verify patch availability and compatibility with their specific Airflow deployment configuration before applying updates. CVSS and severity scores represent base-case scoring and may not account for compensating controls or environment-specific factors. This is not legal, compliance, or liability advice. Consult your security team, change management, and the Apache Airflow community for guidance specific to your infrastructure. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).