CVE-2026-27173: CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory in Apache Software Foundation Apache Airflow CNCF Kubernetes provider
CVE-2026-27173 is a high-severity vulnerability in the Apache Airflow CNCF Kubernetes provider where JWT tokens used by workers in Kubernetes Executors are exposed to users with read-only access to Kubernetes Pods. This exposure could allow such users to perform actions normally restricted to running tasks via the Task SDK and potentially modify the state of the Airflow Database for tasks. The vulnerability is categorized under CWE-538, indicating insertion of sensitive information into externally accessible files or directories. No official patch or remediation guidance is currently available from the vendor.
AI Analysis
Technical Summary
This vulnerability involves the exposure of JWT tokens used by Kubernetes Executor workers in Apache Airflow's CNCF Kubernetes provider. Users with read-only access to Kubernetes Pods can access these tokens, enabling them to perform privileged actions through the Task SDK and potentially alter the Airflow Database state related to tasks. The issue is classified as CWE-538, concerning the insertion of sensitive information into locations accessible externally. The CVSS 3.1 score is 8.7 (high), with attack vector local, low attack complexity, low privileges required, no user interaction, scope changed, and high impact on confidentiality, integrity, and low impact on availability. No patch or official remediation level has been provided as of the published date.
Potential Impact
The vulnerability allows users with only read-only access to Kubernetes Pods to gain access to JWT tokens that should be restricted to running workers. This unauthorized access can lead to privilege escalation within the Airflow environment, enabling these users to perform actions via the Task SDK that are normally limited to running tasks. Consequently, attackers could modify the state of the Airflow Database for tasks, impacting confidentiality and integrity of task data and potentially disrupting workflow operations.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict read-only access to Kubernetes Pods in environments running the affected Apache Airflow CNCF Kubernetes provider versions. Monitor for updates from the Apache Software Foundation regarding patches or official mitigations.
CVE-2026-27173: CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory in Apache Software Foundation Apache Airflow CNCF Kubernetes provider
Description
CVE-2026-27173 is a high-severity vulnerability in the Apache Airflow CNCF Kubernetes provider where JWT tokens used by workers in Kubernetes Executors are exposed to users with read-only access to Kubernetes Pods. This exposure could allow such users to perform actions normally restricted to running tasks via the Task SDK and potentially modify the state of the Airflow Database for tasks. The vulnerability is categorized under CWE-538, indicating insertion of sensitive information into externally accessible files or directories. No official patch or remediation guidance is currently available from the vendor.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability involves the exposure of JWT tokens used by Kubernetes Executor workers in Apache Airflow's CNCF Kubernetes provider. Users with read-only access to Kubernetes Pods can access these tokens, enabling them to perform privileged actions through the Task SDK and potentially alter the Airflow Database state related to tasks. The issue is classified as CWE-538, concerning the insertion of sensitive information into locations accessible externally. The CVSS 3.1 score is 8.7 (high), with attack vector local, low attack complexity, low privileges required, no user interaction, scope changed, and high impact on confidentiality, integrity, and low impact on availability. No patch or official remediation level has been provided as of the published date.
Potential Impact
The vulnerability allows users with only read-only access to Kubernetes Pods to gain access to JWT tokens that should be restricted to running workers. This unauthorized access can lead to privilege escalation within the Airflow environment, enabling these users to perform actions via the Task SDK that are normally limited to running tasks. Consequently, attackers could modify the state of the Airflow Database for tasks, impacting confidentiality and integrity of task data and potentially disrupting workflow operations.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict read-only access to Kubernetes Pods in environments running the affected Apache Airflow CNCF Kubernetes provider versions. Monitor for updates from the Apache Software Foundation regarding patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-02-18T14:18:43.403Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0cc91dba1db47362ec07d7
Added to database: 5/19/2026, 8:33:33 PM
Last enriched: 5/19/2026, 8:48:30 PM
Last updated: 5/19/2026, 9:36:20 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.