Anish Giri

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions prior to 3.2.2 **Description** A bug in the `KubernetesExecutor` causes JSON Web Tokens (JWT), used by worker pods to authenticate against the Execution API, to be passed to the worker container as command-line arguments. These tokens are visible in the pod specification. An authenticated UI or API user with read-only Kubernetes access to the cluster, such as the `pods/get` permission in the Airflow namespace, can retrieve the JWT via the `kubectl describe pod` output. This allows the user to call state-mutating Execution API endpoints to trigger DAG runs, clear runs, or read and write Variables, Connections, and XComs, effectively impersonating a running task. **Recommendations** Upgrade to version 3.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow (affected versions not specified) **Description** JWT tokens used by workers in Kubernetes Executors are exposed to users with read-only access to Kubernetes Pods. This exposure allows users with limited permissions to perform actions intended only for running tasks via the Task SDK, potentially enabling the modification of the Airflow Database state for those tasks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.2.0 Description Apache Airflow is affected by an issue where JWT tokens remain valid after a user logs out, potentially allowing unauthorized access if the token is intercepted. The JWT token associated with a user's authentication was not invalidated upon logout. This could allow an attacker who intercepts the token to reuse it for unauthorized access. Recommendations Upgrade to version 3.2.0 or later to resolve this issue.