CVE-2026-45426

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.2.2

Description The Log server authorizes JWT tokens against Dag IDs by applying the str.lstrip() function to the requested path segment when verifying the sub claim. Because str.lstrip() removes any character from a specified set rather than a specific prefix, a token issued for one Dag can authorize access to any other Dag whose name begins with any subset of the characters in the original Dag's name. This allows an authenticated Airflow worker with a valid Log-server JWT to enumerate and read logs of other Dags, potentially leaking task output and error traces. This issue affects deployments using per-Dag log-access scoping, such as multi-team, shared-executor, or shared-worker topologies.

Recommendations Upgrade to version 3.2.2 or later.