Apache · Apache Airflow · CVE-2026-48726
**Name of the Vulnerable Software and Affected Versions**
Apache Airflow versions prior to 3.2.2
**Description**
A bug in the authentication manager logout handling allows previously issued JSON Web Tokens (JWT) to remain valid after a user logs out via the user interface. In deployments configured with `FabAuthManager` or `KeycloakAuthManager`, the logout flow fails to trigger the `revoke token()` function, meaning the API server continues to accept the token until it expires naturally. This allows an attacker possessing a JWT from a logged-out session to perform authenticated API calls as that user.
**Recommendations**
Update to version 3.2.2 or later.