Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Apache Airflow: Trusted Users Can Run Arbitrary Code
CVE-2026-33858
GHSA-mc4f-r875-v87w
BIT-airflow-2026-33858
Summary
Trusted users in Apache Airflow can run malicious code on the server, potentially causing harm. This is a low-risk issue, but it's still important to update to the latest version of Apache Airflow to prevent any potential problems. Users should upgrade to Apache Airflow 3.2.0 as soon as possible.
What to do
- Update apache-airflow to version 3.2.0.
- Update airflow to version 3.2.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| pip | – | apache-airflow |
>= 3.1.8, < 3.2.0 Fix: upgrade to 3.2.0
|
| Bitnami | – | airflow |
>= 3.1.8, < 3.2.0 Fix: upgrade to 3.2.0
|
Original title
Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API
Original description
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.
Users are recommended to upgrade to Apache Airflow 3.2.0, which resolves this issue.
Users are recommended to upgrade to Apache Airflow 3.2.0, which resolves this issue.
nvd CVSS3.1
8.8
Vulnerability type
CWE-502
Deserialization of Untrusted Data
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 13 Apr 2026