PatchSiren cyber security CVE debrief
CVE-2026-48726 Apache Software Foundation CVE debrief
A residual authentication flaw in Apache Airflow's logout handling allows previously-issued JWT tokens to remain valid after a user clicks logout in the UI. The vulnerability specifically affects deployments using FabAuthManager or KeycloakAuthManager, where the logout flow fails to reach the underlying `revoke_token()` call. This leaves JWT tokens accepted by the API server until their natural expiration, enabling an attacker with a previously-issued JWT for a logged-out user to continue making authenticated API calls as that user. The bug does not affect SimpleAuthManager. This issue represents a gap in the prior fix for CVE-2025-57735, which addressed cookie-side invalidation but did not cover provider-side `revoke_token()` reachability in the FAB and Keycloak code paths. Users who upgraded for CVE-2025-57735 require additional patching.
- Vendor
- Apache Software Foundation
- Product
- Apache Airflow
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
Organizations running Apache Airflow with FabAuthManager or KeycloakAuthManager authentication, particularly those that previously patched for CVE-2025-57735 and assumed complete logout security. Security teams responsible for session lifecycle management, API security, and identity provider integrations in data pipeline environments.
Technical summary
The vulnerability exists in the logout handling of Apache Airflow's FabAuthManager and KeycloakAuthManager auth managers. When a user initiates logout through the UI, the logout flow does not successfully reach the `revoke_token()` method in the underlying provider code. Consequently, the JWT token issued to that user remains cryptographically valid and accepted by the API server until it reaches its natural expiration time. An attacker who has obtained a user's JWT token—through prior compromise, network interception, or other means—can continue to authenticate API requests as that user even after the legitimate user has logged out. SimpleAuthManager is explicitly noted as unaffected. This flaw is a residual gap from CVE-2025-57735, which corrected cookie-side invalidation in PR #57992 and PR #61339 but did not extend to the provider-side `revoke_token()` invocation for FAB and Keycloak authentication paths.
Defensive priority
high
Recommended defensive actions
- Upgrade to apache-airflow 3.2.2 or later to ensure the FAB and Keycloak logout paths properly invoke revoke_token() and invalidate JWT tokens at logout
- If immediate patching is not feasible, monitor API access logs for continued JWT usage from sessions that should have been terminated via logout
- Verify that deployments using SimpleAuthManager are not affected, but confirm which auth manager is configured before assuming exemption
- Review and validate that any prior upgrade for CVE-2025-57735 is supplemented with this additional patch, as the earlier fix did not cover the provider-side token revocation path
- Assess token expiration policies as a temporary compensating control to reduce the window of exposure for non-revoked JWTs
Evidence notes
The CVE description and NVD source data confirm the vulnerability affects FabAuthManager and KeycloakAuthManager logout flows, with the root cause being failure to reach `revoke_token()`. CWE-613 (Insufficient Session Expiration) is identified as the weakness type. The Apache security team references PR #67289 as the remediation patch and links to the prior CVE-2025-57735 for context on the incomplete fix.
Official resources
2026-06-01