Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1826+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2025-57735: Apache Airflow JWT Token Not Invalidated on Logout
CVE-2025-57735: Apache Airflow JWT Token Not Invalidated on Logout

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2025-57735

CVE-2025-57735: Apache Airflow JWT Token Not Invalidated on Logout

A critical CVSS 9.1 vulnerability in Apache Airflow fails to invalidate JWT tokens upon user logout, allowing intercepted tokens to be reused for...

Dylan H.

Security Team

April 10, 2026
3 min read

Affected Products

  • Apache Airflow < 3.2

Overview

A critical authentication flaw tracked as CVE-2025-57735 has been identified in Apache Airflow. When a user logs out of the platform, the JWT (JSON Web Token) they were authenticated with is not invalidated server-side, leaving it reusable if intercepted. The vulnerability carries a CVSS score of 9.1 and was addressed in Apache Airflow version 3.2 via a proper token invalidation mechanism.

Vulnerability Details

FieldDetails
CVE IDCVE-2025-57735
CVSS Score9.1 (Critical)
Affected VersionsApache Airflow prior to 3.2
Fixed VersionApache Airflow 3.2
ComponentJWT authentication / session management
Attack VectorNetwork

Technical Analysis

Apache Airflow uses JWT tokens for authenticating API and web UI sessions. Under normal operation, a user who logs out should have their active token revoked. However, in versions prior to 3.2, the logout process did not record or invalidate the JWT on the server side.

This means that if an attacker intercepts a valid JWT through any means — network interception, cross-site scripting (XSS), browser history, token leakage in logs, or a compromised environment — they can continue to use it even after the legitimate user has logged out.

Exploit scenario:

  1. An authenticated Airflow user logs out of the web UI or API.
  2. The user believes their session is terminated.
  3. An attacker who previously captured the user's JWT can replay that token to the Airflow API.
  4. The server accepts the token as valid (no revocation check) and grants full access.

This is particularly dangerous in shared or cloud-based Airflow deployments where multiple users interact with DAGs, connections, variables, and secrets. Airflow's connections and variables often store database credentials, cloud API keys, and other sensitive secrets — making unauthorized session reuse extremely high-impact.

Root Cause

The root cause is a missing token blocklist / revocation mechanism at logout. JWT tokens are stateless by design; without a server-side revocation store (such as a Redis blocklist or database token table), there is no way to invalidate tokens before their expiry.

Airflow 3.2 introduces explicit token invalidation at logout by implementing a mechanism that records invalidated tokens and rejects them on subsequent requests.

Impact

  • Confidentiality: An attacker can read sensitive connection credentials, variables, DAG configurations, and execution logs.
  • Integrity: Malicious actors can trigger, pause, or modify DAG runs, variables, and connections.
  • Availability: DAG pipelines can be disrupted or deleted by an unauthorized actor using a replayed token.

Organizations running Airflow in production environments — especially those with CI/CD integrations, cloud credential storage, or multi-tenant setups — are at significant risk.

Remediation

Upgrade to Apache Airflow 3.2 or later. This version introduces the server-side JWT invalidation mechanism that properly terminates sessions on logout.

If an immediate upgrade is not possible, the following mitigations reduce risk:

  • Shorten JWT expiry times in your Airflow configuration to limit the reuse window.
  • Rotate credentials stored in Airflow connections and variables if you suspect token interception has occurred.
  • Enable audit logging to monitor for anomalous API access patterns following user logouts.
  • Restrict network access to the Airflow web server and API to trusted internal networks only.
  • Use HTTPS exclusively to reduce the risk of token interception in transit.

References

  • NVD - CVE-2025-57735
  • Apache Airflow Release Notes

Related Reading

  • CVE-2026-22753: Spring Security Filter Chain Bypass via
  • CVE-2015-20115: RealtyScript 4.0.2 Stored XSS via File
  • CVE-2020-37228: iDS6 DSSPro Digital Signage CAPTCHA
#CVE#Apache Airflow#JWT#authentication#Vulnerability

Related Articles

CVE-2026-22753: Spring Security Filter Chain Bypass via PathPattern Matcher

A high-severity flaw in Spring Security allows security filter chains to silently fail to match requests when PathPatternRequestMatcher.Builder is used to...

6 min read

CVE-2026-35210: OpenCTI Authorization Bypass Allows Confidence Level and Object Marking Circumvention

An authentication bypass vulnerability in OpenCTI prior to 7.260326.0 allows any authenticated user with KNOWLEDGE_KNUPDATE permission to bypass Confidence Level validation and Object Marking restrictions, potentially escalating access to sensitive threat intelligence data.

3 min read

CVE-2026-47831: Weak RNG in BOSH Windows Stemcell Builder Enables Remote Password Prediction

A cryptographically weak random number generator in the GenerateRandomPassword function of bosh-windows-stemcell-builder allows remote attackers to predict generated credentials.

3 min read
Back to all Security Alerts