anonhaven
Ad

CVE-2026-33858

HIGH CVSS 3.1: 8.8
Updated Apr 17, 2026
Apache
Parameter Value
CVSS 8.8 (HIGH)
Affected Versions 3.1.8 — 3.2.0
Fixed In 3.2.0
Type CWE-502 (Deserialization of Untrusted Data)
Vendor Apache
Public PoC No

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0, which resolves this issue.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-502 Deserialization of Untrusted Data

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Apache Airflow
cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
 3.1.8 3.2.0

References 3

https://github.com/apache/airflow/pull/64148
security@apache.org
https://lists.apache.org/thread/1npt3o2x81s0gw9tmfcv4n7p1z9hdmy0
security@apache.org
http://www.openwall.com/lists/oss-security/2026/04/13/7
af854a3a-2127-422b-91ae-364da2661108
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-25219

Apache

6.5

CVE-2025-54550

Apache

8.1

CVE-2026-31924

Apache

5.3

CVE-2026-31923

Apache

7.5

CVE-2026-31908

Apache

9.1