Severity: Moderate Affected versions:
- Apache Airflow CNCF Kubernetes provider (apache-airflow-providers-cncf-kubernetes) before 10.17.0 Description: JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Task SDK and potentially allow to modify state of Airflow Database for tasks. Credit: Nikolai Dvoinishnikov, Welltory (finder) Anton Kuznetsov, Welltory (finder) Anish Giri (remediation developer) References: https://github.com/apache/airflow/pull/60108 https://airflow.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-27173
