SCA: security update for apache-airflow (GHSA-vr7m-c6v4-8cx8)

medium Tenable Self-Hosted Container Security Plugin ID 444545

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the
user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not
actually reach the underlying `revoke_token()` call, so the JWT remained accepted by the API server until
its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to
make authenticated API calls as that user. Affects deployments configured with `FabAuthManager` or
`KeycloakAuthManager` (the bug does not affect SimpleAuthManager). This is a residual gap in the fix for
CVE-2025-57735, which addressed cookie-side invalidation in PR #57992 / PR #61339 but did not cover the
provider-side `revoke_token()` reachability in the FAB / Keycloak code paths. Users who already upgraded
for CVE-2025-57735 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the FAB /
Keycloak logout paths. (CVE-2026-48726)

Solution

Update the apache-airflow library and its related packages to version 3.2.2 or later.

See Also

https://github.com/advisories/GHSA-vr7m-c6v4-8cx8

Plugin Details

Severity: Medium

ID: 444545

Version: Revision 1.1

Type: Local

Family: SCA Checks

Published: 7/9/2026

Updated: 7/9/2026

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.74

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2026-48726

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/1/2026

Vulnerability Publication Date: 6/1/2026

Reference Information

CVE: CVE-2026-48726

cwe: CWE-613