A bug in Apache Airflow's KubernetesExecutor caused JWT tokens used by worker pods to authenticate against the Execution API to be passed to the worker container as command-line arguments visible in the pod spec. An authenticated UI/API user with Kubernetes read-only access to the cluster (e.g. `pods/get` in the Airflow namespace) could harvest the JWT from `kubectl describe pod` output and then call state-mutating Execution API endpoints — triggering Dag runs, clearing runs, reading or writing Variables / Connections / XComs — as if they were a running task. Affects deployments using the `KubernetesExecutor`. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. This is the airflow-core half of the same vulnerability addressed by [CVE-2026-27173](https://www.cve.org/CVERecord?id=CVE-2026-27173), which shipped the apache-airflow-providers-cncf-kubernetes side of the fix. Deployments that already upgraded `apache-airflow-providers-cncf-kubernetes` to 10.17.0 or later per the
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
Apache Airflow's KubernetesExecutor contains a critical credential exposure vulnerability where JWT authentication tokens are passed as command-line arguments to worker pods, making them visible in pod specifications accessible via standard Kubernetes read operations. This affects organizations running Airflow on Kubernetes clusters where users have even minimal read-only access to pod metadata. An authenticated attacker with `pods/get` permissions can extract these JWT tokens and escalate privileges to call state-mutating Execution API endpoints, enabling them to trigger arbitrary DAG runs, clear job history, and read or modify sensitive workflow data. The vulnerability bridges the gap between read-only Kubernetes access and full Airflow API control, making it particularly dangerous in multi-tenant or shared cluster environments.
While this CVE doesn't map to specific MITRE ATT&CK techniques in the current framework, Casky's extended reasoning capabilities would detect the attack chain across credential exposure and lateral movement patterns. Practitioners using Casky would identify suspicious activity patterns including: environment variable exfiltration attempts (CWE-538 pattern), attempts to enumerate pod specifications containing sensitive data, and subsequent API calls from authenticated sessions with unexpected token origins. The platform's 754 mapped security skills enable detection of the reconnaissance phase (pod enumeration), the credential harvesting phase (extracting tokens from kubectl output), and the exploitation phase (unauthorized Execution API calls). Security teams would see findings highlighting the flow from Kubernetes read permissions → credential discovery → API abuse, allowing them to correlate pod access logs with unexpected Airflow API activity from low-privilege accounts.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-49298. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation