CVE-2026-27173 Overview
CVE-2026-27173 affects Apache Airflow deployments that use the Kubernetes Executor. Worker pods receive JSON Web Tokens (JWT) that authenticate them to the Task SDK and Airflow API. These tokens are stored in a location accessible to any user with read-only access to Kubernetes pod specifications or environment data.
An attacker with namespace-level pod read permissions can extract a worker JWT and impersonate a running task. This allows the attacker to invoke Task SDK actions and modify state in the Airflow metadata database, escalating beyond the intended read-only scope. The flaw is classified under [CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory].
Critical Impact
Read-only Kubernetes users can steal worker JWTs, impersonate Airflow tasks, and tamper with Airflow database state.
Affected Products
- Apache Airflow deployments using the Kubernetes Executor
- Airflow worker pods scheduled via the Kubernetes Executor
- Airflow Task SDK endpoints authenticated by worker JWTs
Discovery Timeline
- 2026-05-19 - CVE-2026-27173 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-27173
Vulnerability Analysis
The Apache Airflow Kubernetes Executor launches each task instance as a separate Kubernetes pod. To let the worker communicate with the Airflow API and Task SDK, the scheduler provisions a short-lived JWT and passes it to the pod. The token bearer is treated as an authenticated task with rights to update task state, write logs, push XComs, and trigger follow-on operations against the Airflow metadata database.
The vulnerability stems from how this JWT is placed onto the worker pod. The token is exposed through pod-level surfaces such as environment variables or pod spec fields readable through the standard Kubernetes API. Any principal that holds get, list, or watch on pods in the executor namespace can retrieve the token without needing exec or secret access.
Once obtained, the JWT grants the same privileges as the running task. The attacker can call Task SDK endpoints to mark tasks as success or failed, alter XCom values, and write to the Airflow database. This crosses a trust boundary because read-only Kubernetes RBAC was never intended to confer write access to Airflow.
Root Cause
The root cause is sensitive credential material being placed into a Kubernetes resource scope that is readable by lower-privileged users. Pod specs and environment variables are not a confidential channel. They are returned in full by kubectl get pod -o yaml to anyone with pod read permissions.
Attack Vector
Exploitation requires local access in the form of authenticated Kubernetes API access to the namespace running the Airflow executor. The attacker enumerates worker pods, extracts the JWT, and replays it against the Airflow Task SDK API. See the GitHub Pull Request and the Apache Mailing List Thread for the upstream fix and disclosure details.
Detection Methods for CVE-2026-27173
Indicators of Compromise
- Task SDK or Airflow API calls originating from IP addresses that do not match scheduler or worker pod CIDR ranges.
- Task state transitions in the Airflow metadata database without a corresponding scheduler-issued execution event.
- Kubernetes audit log entries showing read-only service accounts performing get or list on pods in the Airflow executor namespace at unusual frequency.
Detection Strategies
- Correlate Kubernetes API audit logs with Airflow API authentication logs to find JWTs presented from unexpected source identities or networks.
- Alert on any non-worker principal issuing Task SDK calls, since worker tokens should only ever be replayed by their assigned pod.
- Baseline normal pod-read activity per service account and flag deviations targeting Airflow namespaces.
Monitoring Recommendations
- Enable Kubernetes API server audit logging at the Metadata level or higher for the Airflow namespace.
- Forward Airflow webserver, API, and Task SDK logs to a centralized analytics platform for cross-source correlation.
- Track JWT issuance and reuse counts and alert when a single token is presented from multiple distinct source IPs.
How to Mitigate CVE-2026-27173
Immediate Actions Required
- Upgrade Apache Airflow to the patched release that incorporates the fix from Apache Airflow PR #60108.
- Audit and tighten Kubernetes RBAC so that only the Airflow scheduler and operators have read access to worker pod specifications in the executor namespace.
- Rotate any worker signing keys and invalidate outstanding JWTs after patching.
Patch Information
The Apache Airflow project addressed the issue upstream. Refer to the GitHub Pull Request for the code change and the Openwall OSS-Security Archive advisory for affected versions and remediation guidance.
Workarounds
- Restrict Kubernetes RBAC get, list, and watch verbs on pods and pods/log in the Airflow executor namespace to administrative service accounts only.
- Place the Airflow executor in a dedicated namespace isolated from general developer or read-only tenants.
- Shorten worker JWT lifetimes and bind tokens to the pod identity where supported to reduce the replay window.
# Configuration example: restrict pod read access in the Airflow executor namespace
kubectl create role airflow-pod-reader \
--verb=get,list,watch \
--resource=pods,pods/log \
--namespace=airflow
kubectl create rolebinding airflow-pod-reader-binding \
--role=airflow-pod-reader \
--serviceaccount=airflow:airflow-scheduler \
--namespace=airflow
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
