CVE-2026-48726 Overview
CVE-2026-48726 is a session management flaw in Apache Airflow's authentication layer. The logout flow for FabAuthManager and KeycloakAuthManager never reaches the revoke_token() call, leaving previously-issued JSON Web Tokens (JWTs) valid until their natural expiry. An attacker who already holds a JWT for a user that has logged out can continue invoking the Airflow API as that user. This is a residual gap in the fix for CVE-2025-57735, which addressed cookie-side invalidation but missed the provider-side revocation path. Deployments using SimpleAuthManager are not affected. The issue is categorized under [CWE-613: Insufficient Session Expiration].
Critical Impact
Stolen or leaked Airflow JWTs remain usable after the legitimate user logs out, enabling continued API access as that user until token expiry.
Affected Products
- Apache Airflow deployments configured with FabAuthManager
- Apache Airflow deployments configured with KeycloakAuthManager
- Apache Airflow versions prior to 3.2.2
Discovery Timeline
- 2026-06-01 - CVE-2026-48726 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-48726
Vulnerability Analysis
Apache Airflow issues JWTs to authenticated UI and API clients. When a user clicks logout, the auth manager is expected to invalidate the active session on both the client side (cookies) and the provider side by calling revoke_token(). In FabAuthManager and KeycloakAuthManager, the logout handler returns before reaching revoke_token(). The token remains a valid bearer credential against the Airflow API server until its expiry timestamp passes.
An attacker who has obtained a JWT through prior interception, log exposure, browser compromise, or a shared workstation can replay the token against the API. The API server has no record of revocation and accepts the JWT signature and claims as legitimate. Authentication context is preserved, including the logged-out user's role and Directed Acyclic Graph (DAG) permissions.
Root Cause
The FAB and Keycloak logout code paths short-circuit before invoking provider-side token revocation. The fix for CVE-2025-57735 in pull requests #57992 and #61339 handled cookie clearing but did not restore reachability of revoke_token() for these two managers. The result is a logout that appears complete in the browser while the backing token remains live.
Attack Vector
Exploitation requires the attacker to possess a previously-issued JWT for a target user. With that token, the attacker sends authenticated HTTP requests to the Airflow REST API. Useful operations include reading DAG metadata, triggering DAG runs, retrieving connection details, and exfiltrating variables. The attack succeeds even after the victim explicitly logs out of the UI, because the API server never learns the token was meant to be invalidated.
No verified public proof-of-concept code is published for this issue. Refer to the Apache Airflow Pull Request #67289 for the upstream fix and the Apache Mailing List Discussion for vendor context.
Detection Methods for CVE-2026-48726
Indicators of Compromise
- API requests bearing a JWT for a user whose UI session has already issued a logout event.
- API activity from a source IP or user agent that differs from the original token issuance context.
- DAG triggers, connection reads, or variable reads occurring outside the user's normal working hours.
- Repeated use of the same JWT past a typical interactive session lifetime.
Detection Strategies
- Correlate Airflow webserver logout events with subsequent API authentication events using the same jti or subject claim.
- Enable verbose audit logging on the Airflow API server and forward to a Security Information and Event Management (SIEM) platform for behavioral analysis.
- Alert on JWT reuse from new IP addresses or user agents after a logout event.
Monitoring Recommendations
- Ingest Airflow API access logs, Keycloak session events, and FAB auth manager logs into a centralized analytics pipeline.
- Track JWT lifetime distributions and flag tokens that continue making calls beyond expected session duration.
- Monitor sensitive API endpoints such as /api/v1/dags/{dag_id}/dagRuns and /api/v1/connections for anomalous access patterns.
How to Mitigate CVE-2026-48726
Immediate Actions Required
- Upgrade apache-airflow to version 3.2.2 or later, even if you already patched for CVE-2025-57735.
- Inventory all deployments using FabAuthManager or KeycloakAuthManager and prioritize internet-exposed instances.
- Rotate signing keys for JWTs to invalidate all outstanding tokens issued by vulnerable releases.
- Force re-authentication for all active users after the upgrade.
Patch Information
The fix is delivered in Apache Airflow 3.2.2. The upstream change restores reachability of revoke_token() in the FAB and Keycloak logout paths. Review the GitHub Pull Request #67289 for the code change and the Apache Airflow Security Mailing List for the official advisory.
Workarounds
- Reduce JWT lifetime in the Airflow auth manager configuration to shrink the window of post-logout validity.
- Restrict Airflow API exposure with network controls so that stolen tokens are unusable from outside trusted networks.
- Temporarily switch to SimpleAuthManager in non-production environments if upgrade timelines slip and the deployment model permits it.
# Upgrade Apache Airflow to the patched release
pip install --upgrade "apache-airflow==3.2.2"
# Restart Airflow components to apply the new auth manager code
airflow webserver --daemon
airflow scheduler --daemon
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
