CVE-2025-57735

Published Apr 9, 2026

Last updated 20 hours ago

CVSS critical 9.1

Overview

Description
When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+ Users are recommended to upgrade to version 3.2.0, which fixes this issue.
Source
security@apache.org
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.1
Impact score
5.2
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Severity
CRITICAL

Weaknesses

security@apache.org
CWE-613

Social media

Hype score
Not currently trending

  1. `Apache Airflow` instances are affected by CVE-2025-57735, where JWT tokens remain valid post-logout, enabling unauthorized access. Review #Airflow deployments for #AuthBypass risk. https://t.co/gEMVyctShJ

    @pulsepatchio

    12 Apr 2026

    179 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. ⚡ New CVE Alert: CVE-2025-57735 🚨 Risk Level: Unknown 🧩 Affects: Multiple / Unspecified Products Reference: https://t.co/or8h03Osgj #CVE-2025-57735 #CVE #CyberSecurity #InfoSec https://t.co/nzu9t1YO2j

    @CVEarity

    10 Apr 2026

    139 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2026-34538: Apache Airflow: Authorization bypass in DagRun wait endpoint (XCom exposure) https://t.co/kxyc4n2PPn CVE-2025-57735: Apache Airflow: Airflow Logout Not Invalidating JWT https://t.co/PAjsXHgCHy Both are "Severity: low"

    @oss_security

    10 Apr 2026

    447 Impressions

    1 Retweet

    5 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨*CVE* CVE-2025-57735 When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airfl… https://t.co/qCqLNC7cUx ----- Traducción: CVE-2025-57735 Cua… https://t.co/utmtNg

    @infoflowcloud

    9 Apr 2026

    124 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-57735 When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airfl… https://t.co/6CZWaHxggr

    @CVEnew

    9 Apr 2026

    151 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 🚨 CYBERDUDEBIVASH SENTINEL APEX ALERT 🚨 Threat: CVE-2025-57735 - Apache Airflow: Airflow Logout Not Invalidating JWT Intel Report: https://t.co/X25E8H2zRy

    @cyberbivash

    9 Apr 2026

    158 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.