Primary

Context

Apache Airflow Providers Http Unsafe Pickle Deserialization Leading to Remote Code Execution

Vulnerability

A remote code execution vulnerability has been identified in the Apache Airflow Providers Http package, specifically in versions 5.1.0 prior to 6.0.0. This vulnerability arises from unsafe deserialization of pickle data, allowing a user with database access to craft an entry that executes code on the Triggerer. This execution grants the same permissions as the DAG Author. Although direct database access is uncommon and not recommended for Airflow, the vulnerability exists.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Apache Airflow is running.

Remediation

Users are advised to upgrade to version 6.0.0 of the Apache Airflow Providers Http package to mitigate this vulnerability.

Added: Mar 9, 2026, 11:19 AM

Updated: Mar 9, 2026, 11:19 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

2.0

remediation

0.0

relevance

3.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

2.0

remediation

0.0

relevance

3.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Airflow Providers Http Unsafe Pickle Deserialization Leading to Remote Code Execution

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating