CVE-2025-57735

CRITICAL 9.1

Apache Airflow: Airflow Logout Not Invalidating JWT

CVSS Score

9.1

EPSS Score

0.0%

EPSS Percentile

0th

When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+ Users are recommended to upgrade to version 3.2.0, which fixes this issue.

CWE	CWE-613
Vendor	apache software foundation
Product	apache airflow
Published	Apr 9, 2026
Last Updated	Apr 9, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow

Be the first to know when new critical vulnerabilities affecting apache software foundation apache airflow are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow

3.0.0 < 3.2.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/apache/airflow/pull/61339 github.com: https://github.com/apache/airflow/pull/56633 lists.apache.org: https://lists.apache.org/thread/ovn8mpd8zkc604hojt7x3wsw3kc60x98 openwall.com: http://www.openwall.com/lists/oss-security/2026/04/09/16

Credits

Saurabh Banawar Anish Giri vincent beck