Is Deserialization affected by CVE-2026-33858?

Apache Airflow versions 3.1.8 through 3.1.x contain a remote code execution vulnerability in XCom payload handling that allows authenticated DAG Authors to execute arbitrary code within the webserver context.

CVE-2026-33858

Q: How to fix CVE-2026-33858?

Within 24 hours: inventory all Apache Airflow 3.1.8 through 3.1.x deployments and identify DAG Author role assignments. Within 7 days: upgrade to Apache Airflow 3.2.0 or apply vendor-released patch; if immediate upgrade is not feasible, implement access controls restricting DAG Author role to essential personnel only and enable detailed audit logging of DAG creation and modification activities. Within 30 days: conduct post-patch validation and review DAG Author access provisioning across all environments.

EUVD-2026-21978 HIGH

2026-04-13 apache

GHSA-mc4f-r875-v87w

Deserialization Apache RCE Apache Airflow

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 15, 2026 - 12:30 vuln.today

CVSS Changed

Apr 13, 2026 - 16:22 NVD

8.8 (HIGH)

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

21 pypi packages depend on apache-airflow (11 direct, 10 indirect)

Ecosystem-wide dependent count for version 3.1.8.

DescriptionNVD

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.

Users are recommended to upgrade to Apache Airflow 3.2.0, which resolves this issue.

AnalysisAI

Remote code execution in Apache Airflow 3.1.x allows authenticated DAG Authors to execute arbitrary code in the webserver context through crafted XCom payloads exploiting insecure deserialization (CWE-502). Affects Apache Airflow versions 3.1.8 through <3.2.0. …

RemediationAI

Within 24 hours: inventory all Apache Airflow 3.1.8 through 3.1.x deployments and identify DAG Author role assignments. Within 7 days: upgrade to Apache Airflow 3.2.0 or apply vendor-released patch; if immediate upgrade is not feasible, implement access controls restricting DAG Author role to essential personnel only and enable detailed audit logging of DAG creation and modification activities. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-33858 vulnerability details – vuln.today

Back

CVE-2026-33858

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code