Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
Airflow Example Code Allows Untrusted Users to Execute Arbitrary Code
CVE-2025-54550
GHSA-q2hg-643c-gw8h
Summary
An example code in Airflow's documentation uses a method to read data that can be exploited by a trusted user with UI access to run arbitrary code on the worker. This example is not intended for production use, but if you copied it, you should update your implementation to be safer. If you're using Airflow 3.2.0 or later, the documentation already includes a safer version of the example code.
What to do
- Update apache-airflow to version 3.2.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| pip | – | apache-airflow |
< 3.2.0 Fix: upgrade to 3.2.0
|
Original title
Apache Airflow: RCE by race condition in example_xcom dag
Original description
The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value
from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary
execution of code on the worker. Since the UI users are already highly trusted, this is a Low severity vulnerability.
It does not affect Airflow release - example_dags are not supposed to be enabled in production environment, however
users following the example could replicate the bad pattern. Documentation of Airflow 3.2.0 contains version of
the example with improved resiliance for that case.
Users who followed that pattern are advised to adjust their implementations accordingly.
from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary
execution of code on the worker. Since the UI users are already highly trusted, this is a Low severity vulnerability.
It does not affect Airflow release - example_dags are not supposed to be enabled in production environment, however
users following the example could replicate the bad pattern. Documentation of Airflow 3.2.0 contains version of
the example with improved resiliance for that case.
Users who followed that pattern are advised to adjust their implementations accordingly.
nvd CVSS3.1
8.1
Vulnerability type
CWE-94
Code Injection
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026