Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-27173

Summary
Assigner-apache
Assigner Org ID-f0158376-9dc2-43b6-827c-5f631a4d8d09
Published At-19 May, 2026 | 19:19
Updated At-19 May, 2026 | 19:57
Rejected At-
Credits

Apache Airflow CNCF Kubernetes provider: JWT Token Exposure in KubernetesExecutor Command-Line Arguments

JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Task SDK and potentially allow to modify state of Airflow Database for tasks.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:apache
Assigner Org ID:f0158376-9dc2-43b6-827c-5f631a4d8d09
Published At:19 May, 2026 | 19:19
Updated At:19 May, 2026 | 19:57
Rejected At:
▼CVE Numbering Authority (CNA)
Apache Airflow CNCF Kubernetes provider: JWT Token Exposure in KubernetesExecutor Command-Line Arguments

JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Task SDK and potentially allow to modify state of Airflow Database for tasks.

Affected Products
Vendor
The Apache Software FoundationApache Software Foundation
Product
Apache Airflow CNCF Kubernetes provider
Collection URL
https://pypi.python.org
Package Name
apache-airflow-providers-cncf-kubernetes
Default Status
unaffected
Versions
Affected
  • From 0 before 10.17.0 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-538CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory
Type: CWE
CWE ID: CWE-538
Description: CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Textual description of severity
text:
Moderate
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Nikolai Dvoinishnikov, Welltory
finder
Anton Kuznetsov, Welltory
remediation developer
Anish Giri
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/apache/airflow/pull/60108
patch
https://lists.apache.org/thread/pk3m2z4s2rkmc0v6gh9hnch9spc6stqw
vendor-advisory
Hyperlink: https://github.com/apache/airflow/pull/60108
Resource:
patch
Hyperlink: https://lists.apache.org/thread/pk3m2z4s2rkmc0v6gh9hnch9spc6stqw
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.openwall.com/lists/oss-security/2026/05/19/35
N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2026/05/19/35
Resource: N/A
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.18.7HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Version: 3.1
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@apache.org
Published At:19 May, 2026 | 20:16
Updated At:19 May, 2026 | 21:16

JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Task SDK and potentially allow to modify state of Airflow Database for tasks.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.7HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Type: Secondary
Version: 3.1
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-538Secondarysecurity@apache.org
CWE ID: CWE-538
Type: Secondary
Source: security@apache.org
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/apache/airflow/pull/60108security@apache.org
N/A
https://lists.apache.org/thread/pk3m2z4s2rkmc0v6gh9hnch9spc6stqwsecurity@apache.org
N/A
http://www.openwall.com/lists/oss-security/2026/05/19/35af854a3a-2127-422b-91ae-364da2661108
N/A
Hyperlink: https://github.com/apache/airflow/pull/60108
Source: security@apache.org
Resource: N/A
Hyperlink: https://lists.apache.org/thread/pk3m2z4s2rkmc0v6gh9hnch9spc6stqw
Source: security@apache.org
Resource: N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2026/05/19/35
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

3Records found
CVE-2026-49298
Matching Score-6
Assigner-Apache Software Foundation
ShareView Details
Matching Score-6
Assigner-Apache Software Foundation
CVSS Score-8.8||HIGH
EPSS-0.05% / 16.84%
||
7 Day CHG~0.00%
Published-01 Jun, 2026 | 07:34
Updated-03 Jun, 2026 | 02:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Airflow: JWT Token Exposure in KubernetesExecutor Command-Line Arguments

A bug in Apache Airflow's KubernetesExecutor caused JWT tokens used by worker pods to authenticate against the Execution API to be passed to the worker container as command-line arguments visible in the pod spec. An authenticated UI/API user with Kubernetes read-only access to the cluster (e.g. `pods/get` in the Airflow namespace) could harvest the JWT from `kubectl describe pod` output and then call state-mutating Execution API endpoints — triggering Dag runs, clearing runs, reading or writing Variables / Connections / XComs — as if they were a running task. Affects deployments using the `KubernetesExecutor`. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. This is the airflow-core half of the same vulnerability addressed by [CVE-2026-27173](https://www.cve.org/CVERecord?id=CVE-2026-27173), which shipped the apache-airflow-providers-cncf-kubernetes side of the fix. Deployments that already upgraded `apache-airflow-providers-cncf-kubernetes` to 10.17.0 or later per the CVE-2026-27173 advisory should additionally upgrade `apache-airflow` to 3.2.2 or later to close the core-side surface — the two fixes are complementary, not duplicates.

Action-Not Available
Vendor-The Apache Software Foundation
Product-airflowApache Airflow
CWE ID-CWE-538
Insertion of Sensitive Information into Externally-Accessible File or Directory
CVE-2018-11798
Matching Score-6
Assigner-Apache Software Foundation
ShareView Details
Matching Score-6
Assigner-Apache Software Foundation
CVSS Score-6.5||MEDIUM
EPSS-0.40% / 61.19%
||
7 Day CHG~0.00%
Published-07 Jan, 2019 | 18:00
Updated-05 Aug, 2024 | 08:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.

Action-Not Available
Vendor-The Apache Software Foundation
Product-thriftApache Thrift
CWE ID-CWE-538
Insertion of Sensitive Information into Externally-Accessible File or Directory
CVE-2025-27017
Matching Score-6
Assigner-Apache Software Foundation
ShareView Details
Matching Score-6
Assigner-Apache Software Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.10% / 27.21%
||
7 Day CHG~0.00%
Published-12 Mar, 2025 | 16:19
Updated-12 Mar, 2025 | 17:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache NiFi: Potential Insertion of MongoDB Password in Provenance Record

Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized user with read access to the provenance events of those processors may see the credentials information. Upgrading to Apache NiFi 2.3.0 is the recommended mitigation, which removes the credentials from provenance event records.

Action-Not Available
Vendor-The Apache Software Foundation
Product-Apache NiFi
CWE ID-CWE-538
Insertion of Sensitive Information into Externally-Accessible File or Directory
Details not found