CVE-2026-31987
Published: 16 April 2026
Summary
CVE-2026-31987 is a high-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Apache Airflow. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 29.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AU-3 (Content of Audit Records) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation of the flaw that exposes JWT tokens in Airflow task logs via upgrade to version 3.2.0.
Requires definition and coordination of audit record content to exclude sensitive information such as JWT tokens from being logged.
Protects audit logs containing exposed JWT tokens from unauthorized access, preventing attackers from extracting and using them for impersonation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
JWT tokens exposed in log files (CWE-532) directly enable credential theft from files (T1552.001); stolen tokens then allow impersonation via valid accounts or application access tokens (T1078, T1550.001) for unauthorized DAG/workflow actions.
NVD Description
JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes…
more
this issue.
Deeper analysisAI
CVE-2026-31987 is a vulnerability in Apache Airflow where JWT tokens used by tasks are exposed in logs, classified under CWE-532 (Insertion of Sensitive Information into Log File). This issue affects Airflow deployments prior to version 3.2.0 and was published on 2026-04-16. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low attack complexity, and no privileges or user interaction required.
An attacker with access to the exposed logs can extract the JWT tokens, enabling UI users to impersonate DAG authors. This privilege escalation allows unauthorized actions typically reserved for DAG authors, such as potentially modifying or executing workflows, leading to high confidentiality risks without impacting integrity or availability.
Apache Airflow advisories recommend upgrading to version 3.2.0, which contains the fix for this issue. Relevant discussions and patches are documented in GitHub issues #62428 and #62773, pull request #62964, and announcements on the Apache mailing list and oss-security list.
Details
- CWE(s)