CVE-2026-27173

Name: CVE-2026-27173
Creator: NVD / NIST
Published: 2026-05-19T20:16:17.44+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.7/10EPSS 0.13%

Last modified Jun 17, 2026

This CVE is reserved or awaiting analysis. Details will appear once published by NVD.

Description

JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Task SDK and potentially allow to modify state of Airflow Database for tasks.

Metrics

CVSS 3.1

8.7/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

EPSS Probability

0.13%

2.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-538

References

https://github.com/apache/airflow/pull/60108
https://lists.apache.org/thread/pk3m2z4s2rkmc0v6gh9hnch9spc6stqw
http://www.openwall.com/lists/oss-security/2026/05/19/35

Timeline

Published: May 19, 2026
Last Modified: Jun 17, 2026
Status: Awaiting Analysis

Are you affected by CVE-2026-27173?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST