Apache Airflow contains a vulnerability in its KubernetesExecutor that exposes authentication tokens to unauthorized users within the cluster.

The KubernetesExecutor improperly handles JWT tokens used for Execution API authentication by passing them as visible command-line arguments. This allows an authenticated UI or API user with Kubernetes read-only access to harvest these tokens and perform unauthorized state-mutating actions.

With a CVSS score of 8.8, this vulnerability presents a high risk of privilege escalation and unauthorized API manipulation. Successful exploitation could allow attackers to bypass intended access controls, potentially compromising the integrity of data pipelines and the underlying Airflow execution environment.

Immediate Action: Upgrade to apache-airflow 3.2.2 or later to ensure JWT tokens are no longer exposed in pod specifications.

Proactive Monitoring: Review Kubernetes pod logs and audit access logs for suspicious API calls or unexpected execution patterns.

Compensating Controls: Restrict Kubernetes read-only access for users who do not strictly require it, and implement network policies to isolate the Execution API.

Public Exploit Available: false

Given the high CVSS score and the potential for unauthorized execution of API commands, administrators should prioritize updating to version 3.2.2. Restricting cluster-level visibility is a critical secondary defense measure to mitigate the risk until the patch can be deployed.