Apache · Apache Airflow · CVE-2026-45426
**Name of the Vulnerable Software and Affected Versions**
Apache Airflow versions prior to 3.2.2
**Description**
The Log server authorizes JWT tokens against Dag IDs by applying the `str.lstrip()` function to the requested path segment when verifying the `sub` claim. Because `str.lstrip()` removes any character from a specified set rather than a specific prefix, a token issued for one Dag can authorize access to any other Dag whose name begins with any subset of the characters in the original Dag's name. This allows an authenticated Airflow worker with a valid Log-server JWT to enumerate and read logs of other Dags, potentially leaking task output and error traces. This issue affects deployments using per-Dag log-access scoping, such as multi-team, shared-executor, or shared-worker topologies.
**Recommendations**
Upgrade to version 3.2.2 or later.