Pierrejeambrun

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions prior to 3.2.2 **Description** A bug in the authentication manager logout handling allows previously issued JSON Web Tokens (JWT) to remain valid after a user logs out via the user interface. In deployments configured with `FabAuthManager` or `KeycloakAuthManager`, the logout flow fails to trigger the `revoke token()` function, meaning the API server continues to accept the token until it expires naturally. This allows an attacker possessing a JWT from a logged-out session to perform authenticated API calls as that user. **Recommendations** Update to version 3.2.2 or later.