Primary

Context

Apache Airflow XCom API Unsafe Deserialization Vulnerability Allowing Arbitrary Code Execution

Vulnerability

Patched

A vulnerability exists in Apache Airflow versions 3.1.8 prior to 3.2.0, allowing Dag Authors to execute arbitrary code in the webserver context by crafting XCom payloads. This issue arises from an unsafe deserialization via legacy serialization keys, which Dag Authors, despite their trusted status, should not be able to exploit.

Impact

Exploitation of this vulnerability could lead to unauthorized code execution on the webserver.

Remediation

Users are advised to upgrade to Apache Airflow 3.2.0, which addresses this vulnerability.

Added: Apr 13, 2026, 3:48 PM

Updated: Apr 13, 2026, 3:48 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

7.5

exploitability

4.9

remediation

7.7

relevance

5.8

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

7.5

exploitability

4.9

remediation

7.7

relevance

5.8

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Airflow XCom API Unsafe Deserialization Vulnerability Allowing Arbitrary Code Execution

Vulnerability

Impact

Remediation

Affected Products

Apache Airflow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating