Primary

Context

Apache Airflow Extra Links API XCom Deserialization Vulnerability Leading to Arbitrary Code Execution

Vulnerability

Patched

A vulnerability exists in Apache Airflow in versions prior to 3.2.0, where Dag Authors can craft XCom payloads that trigger the webserver to execute arbitrary code. This issue arises because Dag Authors are considered highly trusted, although the overall severity is rated low.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the webserver.

Remediation

Users are advised to upgrade to Apache Airflow 3.2.0, which addresses this vulnerability.

Added: Apr 18, 2026, 7:21 AM

Updated: Apr 18, 2026, 7:21 AM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

7.5

exploitability

5.3

remediation

7.7

relevance

6.0

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

7.5

exploitability

5.3

remediation

7.7

relevance

6.0

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Airflow Extra Links API XCom Deserialization Vulnerability Leading to Arbitrary Code Execution

Vulnerability

Impact

Remediation

Affected Products

Apache Airflow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating