CVE-2026-31987: Apache Airflow: JWT token appearing in logs

April 16, 2026 (updated April 24, 2026)

JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix.

Users are recommended to upgrade to version 3.2.0, which fixes this issue.

References

github.com/advisories/GHSA-phv5-vq5p-qhp7
github.com/apache/airflow
github.com/apache/airflow/issues/62428
github.com/apache/airflow/issues/62773
github.com/apache/airflow/pull/62964
lists.apache.org/thread/pvsrtxzwo9xy6xgknmwslv4zrw70kt6g
nvd.nist.gov/vuln/detail/CVE-2026-31987

Code Behaviors & Features

Detect and mitigate CVE-2026-31987 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →