PatchSiren cyber security CVE debrief

CVE-2026-45426 Apache Software Foundation CVE debrief

CVE-2026-45426 is an authorization bypass in Apache Airflow's Log server that allows authenticated workers with a valid per-Dag JWT to access worker logs of other Dags. The root cause is a misuse of Python's `str.lstrip()` for path-prefix validation: `lstrip()` removes any combination of the specified characters from the left of a string rather than matching an exact prefix. A JWT issued for Dag `dag_a` would therefore authorize access to any Dag whose name begins with any permutation of characters in the set `{d, a, g, _}`—for example, `dag_attacker`, `aaaa_target`, or `_dag_secret`. This breaks the documented per-Dag isolation boundary and can leak task output and error traces across Dag boundaries. The vulnerability affects deployments that rely on per-Dag log-access scoping, including multi-team, shared-executor, and shared-worker topologies. The issue was disclosed on 2026-06-01. The fix is available in `apache-airflow` 3.2.2 or later.

Vendor: Apache Software Foundation
Product: Apache Airflow
CVSS: Unknown
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-01
Original CVE updated: 2026-06-01
Advisory published: 2026-06-01
Advisory updated: 2026-06-01

Who should care

Organizations running Apache Airflow with multi-team deployments, shared executors, or shared workers that depend on per-Dag log-access isolation.

Technical summary

The Airflow Log server validates JWT tokens by applying `str.lstrip()` against the requested path segment when checking the JWT's `sub` claim. Because `str.lstrip()` treats its argument as a set of characters to remove rather than a literal prefix, a JWT scoped to one Dag can match the names of unrelated Dags that happen to start with any combination of those characters. An authenticated worker with a valid Log-server JWT can therefore enumerate and read logs belonging to other Dags, violating the intended per-Dag access boundary. The issue is fixed in apache-airflow 3.2.2.

Defensive priority

high

Recommended defensive actions

Upgrade to apache-airflow 3.2.2 or later to obtain the corrected authorization check.
If immediate patching is not feasible, review and restrict worker JWT issuance to minimize exposure, and monitor log access patterns for anomalous cross-Dag requests.
Audit shared-executor and shared-worker deployments for reliance on per-Dag log isolation, as these topologies are specifically affected.

Evidence notes

The vulnerability description and fix version are drawn from the official CVE text. The weakness is classified as CWE-863 (Incorrect Authorization) per the NVD source record. The fix is referenced in an Apache Airflow pull request and discussed on the Apache security mailing list and oss-security.

Official resources

CVE-2026-45426 CVE record
CVE.org
CVE-2026-45426 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Source reference
af854a3a-2127-422b-91ae-364da2661108

2026-06-01