CVE-2025-57735

CRITICAL SEVERITY

CVSS Score & Metrics

Base Score

9.1 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N                                    

Vulnerability Description

When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+

Users are recommended to upgrade to version 3.2.0, which fixes this issue.

Vulnerability Details

Published Date

April 09, 2026

Last Modified

April 13, 2026

CWE ID

CWE-613

Source

NVD

Vendor

Apache Software Foundation

Product

Apache Airflow

External References

https://github.com/apache/airflow/pull/56633
https://github.com/apache/airflow/pull/61339
https://lists.apache.org/thread/ovn8mpd8zkc604hojt7x3wsw3kc60x98

CVE-2025-57735

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment