CVE-2026-48726

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.2.2

Description A bug in the authentication manager logout handling allows previously issued JSON Web Tokens (JWT) to remain valid after a user logs out via the user interface. In deployments configured with FabAuthManager or KeycloakAuthManager, the logout flow fails to trigger the revoke token() function, meaning the API server continues to accept the token until it expires naturally. This allows an attacker possessing a JWT from a logged-out session to perform authenticated API calls as that user.

Recommendations Update to version 3.2.2 or later.