Skip to main content

Apache Airflow CVE-2026-33264

| EUVDEUVD-2026-42030 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-07-07 apache GHSA-2943-9672-r45w
9.8
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
9.8 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Attacker must have DAG-author privileges (PR:L) rather than none; code path is low-complexity; S:C because DAG-author code escapes its zone to execute in the separately-trusted Scheduler/API Server, with full C/I/A.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jul 07, 2026 - 16:29 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 07, 2026 - 16:29 vuln.today
Analysis Updated
Jul 07, 2026 - 16:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 07, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
Jul 07, 2026 - 16:22 NVD
9.8 (CRITICAL)
Analysis Generated
Jul 07, 2026 - 10:35 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 454 pypi packages depend on apache-airflow (429 direct, 30 indirect)

Ecosystem-wide dependent count for version 3.3.0.

DescriptionCVE.org

A bug in BaseSerialization.deserialize() allowed unrestricted import_string() of attacker-controlled class paths when the Scheduler / API Server loaded a serialized DAG: a DAG author could embed a malicious trigger into a DAG to gain remote code execution on the API Server / Scheduler process, crossing the Airflow security boundary that DAG-author code must never execute in those processes. Users are advised to upgrade to apache-airflow 3.3.0 or later. As a defense-in-depth mitigation, deployments where DAG-author trust is limited can restrict the [core] allowed_deserialization_classes config to a narrow allowlist.

AnalysisAI

Remote code execution in Apache Airflow before 3.3.0 lets a DAG author embed a malicious trigger whose attacker-controlled class path is loaded via an unrestricted import_string() when the Scheduler or API Server deserializes the serialized DAG, executing arbitrary code in those privileged processes and breaking the core Airflow boundary that DAG-author code must never run in the Scheduler/API Server. Reported by Apache with a fix in 3.3.0, it currently has no public exploit identified and a low EPSS of 0.69% (48th percentile), and it is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain DAG-author access
Delivery
Author DAG with malicious trigger class path
Exploit
Scheduler/API Server deserializes serialized DAG
Execution
import_string() loads attacker class
Persist
Arbitrary code executes in privileged process
Impact
RCE crossing Airflow security boundary

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to be able to author or submit a DAG to the target Airflow deployment and to embed a malicious trigger whose kwargs carry an attacker-chosen class path; the payload fires when the Scheduler or API Server deserializes that serialized DAG via the unrestricted BaseSerialization.deserialize()/import_string() path in versions before 3.3.0. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 vector is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), implying trivial unauthenticated network RCE, but this conflicts with the description, which states the attacker must be a DAG author who embeds a malicious trigger - a semi-trusted role, not an anonymous remote actor. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user with DAG-authoring access to a shared Airflow instance writes a DAG containing a deferred task whose trigger kwargs reference an attacker-controlled dotted class path. When the Scheduler or API Server loads and deserializes that serialized DAG, import_string() imports and instantiates the malicious class, executing arbitrary code in the privileged process. …
Remediation Vendor-released patch: upgrade apache-airflow to 3.3.0 or later, which removes the eager BaseSerialization.deserialize() of stored trigger/next kwargs in the Scheduler and API Server (upstream fixes in https://github.com/apache/airflow/pull/66002 and https://github.com/apache/airflow/pull/68528; see the advisory at https://lists.apache.org/thread/otvdw8qt2y7xy2n5nq9xby9ky4rf5ltj). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Airflow deployments and versions; audit which personnel and external integrations hold DAG submission access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-30898 HIGH
8.8 Apr 18

Command injection in Apache Airflow's BashOperator documentation example allows authenticated attackers to escalate priv

CVE-2025-54550 HIGH
8.1 Apr 15

The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xco

CVE-2026-30911 HIGH
8.1 Mar 17

CVE-2026-30911 is a security vulnerability (CVSS 8.1) that allows any authenticated task instance. High severity vulnera

CVE-2026-31987 HIGH
7.5 Apr 16

Apache Airflow 3.0.0 through 3.1.x exposes JWT authentication tokens in application logs, allowing any authenticated UI

CVE-2026-28779 HIGH
7.5 Mar 17

CVE-2026-28779 is a security vulnerability (CVSS 7.5) that allows any application co-hosted under the same domain. High

CVE-2026-32228 HIGH
7.5 Apr 18

Apache Airflow 3.0.x prior to 3.2.0 allows remote unauthenticated attackers to trigger unauthorized DAG (Directed Acycli

CVE-2026-49296 MEDIUM
6.5 Jul 07

{dag_id}` endpoint and its UI equivalent perform authorization only on the requested DAG identifier, not on the full fil

CVE-2026-49487 MEDIUM
6.5 Jul 07

Apache Airflow REST API exposes provider secrets in plaintext through the task-instance detail and list endpoints when t

CVE-2026-48828 MEDIUM
6.5 Jul 07

Sensitive credential exposure in Apache Airflow's Bulk Variables API allows authenticated users with bulk Variable read

CVE-2026-48892 MEDIUM
6.5 Jul 07

Apache Airflow's Config API leaks plaintext secrets-backend credentials to authenticated users with Config read permissi

CVE-2026-26929 MEDIUM
6.5 Mar 17

CVE-2026-26929 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management proce

CVE-2026-48891 MEDIUM
4.3 Jul 07

Incomplete authorization filtering in Apache Airflow's `/ui/dependencies` scheduling graph endpoint exposes restricted D

Share

CVE-2026-33264 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy