CVE-2026-27173

HIGH 8.7

Apache Airflow CNCF Kubernetes provider: JWT Token Exposure in KubernetesExecutor Command-Line Arguments

CVSS Score

8.7

EPSS Score

0.0%

EPSS Percentile

0th

JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Task SDK and potentially allow to modify state of Airflow Database for tasks.

CWE	CWE-538
Vendor	apache software foundation
Product	apache airflow cncf kubernetes provider
Published	May 19, 2026
Last Updated	May 19, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow cncf kubernetes provider

Be the first to know when new high vulnerabilities affecting apache software foundation apache airflow cncf kubernetes provider are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow CNCF Kubernetes provider

0 < 10.17.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/apache/airflow/pull/60108 lists.apache.org: https://lists.apache.org/thread/pk3m2z4s2rkmc0v6gh9hnch9spc6stqw openwall.com: http://www.openwall.com/lists/oss-security/2026/05/19/35

Credits

Nikolai Dvoinishnikov, Welltory Anton Kuznetsov, Welltory Anish Giri