CVE-2026-27173: Apache Airflow CNCF Kubernetes provider: JWT Token Exposure in KubernetesExecutor Command-Line Arguments

May 19, 2026 (updated June 5, 2026)

JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Task SDK and potentially allow to modify state of Airflow Database for tasks.

References

github.com/advisories/GHSA-524w-vq63-2xhf
github.com/apache/airflow/pull/60108
lists.apache.org/thread/pk3m2z4s2rkmc0v6gh9hnch9spc6stqw
nvd.nist.gov/vuln/detail/CVE-2026-27173

Code Behaviors & Features

Detect and mitigate CVE-2026-27173 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →