Is Apache affected by CVE-2026-25917?

Apache Airflow versions before 3.2.0 contain a critical deserialization vulnerability in the webserver that enables unauthenticated remote code execution through malicious XCom payload injection.

Apache CVE-2026-25917

EUVD-2026-23658 HIGH

Deserialization of Untrusted Data (CWE-502)

2026-04-18 apache

GHSA-6ffj-2wg2-w45j

RCE Apache Deserialization

7.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Severity Changed

Apr 22, 2026 - 14:22 NVD

CRITICAL HIGH

CVSS changed

Apr 22, 2026 - 14:22 NVD

9.8 (CRITICAL) 7.2 (HIGH)

Analysis Updated

Apr 21, 2026 - 14:57 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 20, 2026 - 19:07 vuln.today

cvss_changed

Analysis Generated

Apr 20, 2026 - 16:22 vuln.today

CVSS changed

Apr 20, 2026 - 16:22 NVD

9.8 (CRITICAL)

DescriptionNVD

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.

Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.

AnalysisAI

Deserialization vulnerability in Apache Airflow webserver (all versions before 3.2.0) allows network-accessible attackers to execute arbitrary code by injecting malicious XCom payloads, despite vendor-assigned Low severity due to the trusted Dag Author threat model. CVSS 9.8 Critical rating reflects unauthenticated network-based RCE capability (AV:N/PR:N), contradicting the description's trust assumption. …

RemediationAI

Within 24 hours: Audit all Airflow webserver instances for version <3.2.0 and assess network exposure (restrict webserver access to trusted internal networks only via firewall/WAF rules). Within 7 days: Patch all affected Airflow deployments to version 3.2.0 or later per vendor advisory. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-25917 vulnerability details – vuln.today

Back

Apache CVE-2026-25917

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code