CVE-2026-49298 Overview
CVE-2026-49298 is a high-severity information exposure vulnerability in Apache Airflow's KubernetesExecutor. The bug causes JSON Web Tokens (JWTs) used by worker pods to authenticate against the Execution API to be passed as command-line arguments visible in the pod spec. Any authenticated user with pods/get access in the Airflow namespace can harvest these tokens via kubectl describe pod and impersonate a running task. This vulnerability is the airflow-core counterpart to CVE-2026-27173, which addressed the apache-airflow-providers-cncf-kubernetes side of the same flaw. The issue is classified under [CWE-538] (Insertion of Sensitive Information into Externally-Accessible File or Directory).
Critical Impact
An attacker with read-only Kubernetes access can steal JWTs and call state-mutating Execution API endpoints — triggering DAG runs, clearing runs, and reading or writing Variables, Connections, and XComs.
Affected Products
- Apache Airflow deployments using the KubernetesExecutor
- apache-airflow versions prior to 3.2.2
- Deployments paired with apache-airflow-providers-cncf-kubernetes versions prior to 10.17.0
Discovery Timeline
- 2026-06-01 - CVE-2026-49298 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-49298
Vulnerability Analysis
Apache Airflow's KubernetesExecutor launches worker pods to run scheduled tasks. Each worker authenticates to the Execution API using a short-lived JWT. The flaw stems from how Airflow injects this token into the worker container: the JWT is appended to the container's command arguments rather than passed through an environment variable or mounted secret. Command-line arguments are stored in the pod spec and are visible to any user or service account with get or list permissions on pods in the Airflow namespace.
The Execution API endpoints accept this JWT for state-mutating operations. An attacker who harvests a token gains the same privileges as the running task, including the ability to trigger DAG runs, clear runs, and read or write Variables, Connections, and XComs. Connection objects often contain credentials for downstream systems such as databases, cloud accounts, and SaaS APIs, extending the blast radius beyond Airflow itself.
Root Cause
The root cause is improper handling of sensitive authentication material. The KubernetesExecutor constructs the worker pod spec with the JWT as part of the args field on the container. Kubernetes treats command and args as non-sensitive metadata that anyone with pods/get can read. Sensitive material should instead be delivered via a Kubernetes Secret referenced through envFrom or a projected volume.
Attack Vector
An authenticated Airflow UI or API user who also holds read-only Kubernetes access to the Airflow namespace executes kubectl describe pod or queries the Kubernetes API for the running worker pod. The JWT is extracted from the container args array. The attacker then calls Execution API endpoints with the harvested token, performing actions attributed to the legitimate task. No code execution on the cluster is required.
Detection Methods for CVE-2026-49298
Indicators of Compromise
- Unexpected pods/get or pods/list API calls against the Airflow namespace from accounts that do not normally read pod specs
- Execution API requests originating from IP addresses outside the worker pod CIDR range
- DAG runs, Variable writes, or Connection modifications attributed to tasks that were already in a terminal state
- kubectl describe pod activity correlated with subsequent Execution API calls using the same JWT
Detection Strategies
- Audit Kubernetes API server logs for get and list verbs on pods resources in the Airflow namespace, filtered by user and service account
- Correlate Airflow Execution API access logs with worker pod lifecycle events to flag tokens used after their associated task finished
- Inspect running worker pod specs for JWT-like strings in spec.containers[].args to confirm exposure on unpatched deployments
Monitoring Recommendations
- Forward Kubernetes audit logs and Airflow webserver logs to a centralized analytics platform for correlation
- Alert on Execution API calls that mutate Variables or Connections from non-worker source IPs
- Track RBAC bindings granting pods/get in the Airflow namespace and review them on a recurring cadence
How to Mitigate CVE-2026-49298
Immediate Actions Required
- Upgrade apache-airflow to version 3.2.2 or later on all components running the KubernetesExecutor
- If you previously upgraded apache-airflow-providers-cncf-kubernetes to 10.17.0 or later for CVE-2026-27173, still upgrade apache-airflow to close the core-side surface — the fixes are complementary
- Rotate any JWT signing keys used by the Execution API after patching, and review recent Variable and Connection changes for tampering
- Audit Kubernetes RBAC and remove unnecessary pods/get and pods/list permissions in the Airflow namespace
Patch Information
Apache addressed the core-side issue in apache-airflow 3.2.2. The corresponding provider fix shipped in apache-airflow-providers-cncf-kubernetes 10.17.0 under CVE-2026-27173. Both packages must be updated for full remediation. See the Apache Airflow Pull Request #60108 and the Apache Mailing List Advisory for details.
Workarounds
- Restrict pods/get and pods/list permissions in the Airflow namespace to cluster administrators and the Airflow service account only
- Place the Execution API behind network policies that allow only worker pod IP ranges to reach it
- Reduce JWT lifetime in Airflow configuration so that harvested tokens expire quickly
# Upgrade Airflow core and the Kubernetes provider together
pip install --upgrade \
"apache-airflow==3.2.2" \
"apache-airflow-providers-cncf-kubernetes>=10.17.0"
# Verify the installed versions
airflow version
pip show apache-airflow-providers-cncf-kubernetes | grep -i version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
