EUVD-2026-33588
Deserialization of Untrusted Data (CWE-502)
2026-05-31
GHSA-wr76-29cr-67w8
GHSA-wr76-29cr-67w8
8.8
CVSS 3.1 · NVD
Share
Severity by source
NVD
PRIMARY
8.8
HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Lifecycle Timeline
6
Source Code Evidence Fetched
Jun 02, 2026 - 14:22 vuln.today
Analysis Generated
Jun 02, 2026 - 14:22 vuln.today
CVSS changed
Jun 02, 2026 - 14:22 NVD
8.8 (HIGH)
Patch available
Jun 01, 2026 - 10:01 EUVD
CVE Published
May 31, 2026 - 12:45 nvd
UNKNOWN (no severity yet)
CVE Published
May 31, 2026 - 12:45 nvd
HIGH 8.8
Blast Radius
ecosystem impact
— you monitor
† from your stack dependencies
† transitive graph · vuln.today resolves 4-path depth
- 10 pypi packages depend on apache-airflow (1 direct, 9 indirect)
Ecosystem-wide dependent count for version 3.2.0.
Description PRE-NVD
Disclosed via oss-security. NVD scoring and full description are pending.
AnalysisAI
Authenticated remote code execution in Apache Airflow 3.2.0 through 3.2.1 allows users with permission to update XCom entries to achieve code execution by submitting reserved deserialization metadata keys (e.g. __classname__, __type, __data__, __var) to the PATCH XCom endpoint. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Recon
Obtain authenticated Airflow user with XCom edit rights
Delivery
PATCH XCom entry with reserved __classname__/__type metadata
Exploit
Bypass missing FORBIDDEN_XCOM_KEYS validation on XComUpdateBody
Install
Downstream task xcom_pull deserializes attacker payload
C2
Arbitrary class instantiated in worker process
Execute
Code execution as Airflow worker user
Impact
Pivot to connections, secrets, and DAG infrastructure
Recon
Obtain authenticated Airflow user with XCom edit rights
Delivery
PATCH XCom entry with reserved __classname__/__type metadata
Exploit
Bypass missing FORBIDDEN_XCOM_KEYS validation on XComUpdateBody
Install
Downstream task xcom_pull deserializes attacker payload
C2
Arbitrary class instantiated in worker process
Execute
Code execution as Airflow worker user
Impact
Pivot to connections, secrets, and DAG infrastructure
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated Airflow account with permission to PATCH XCom entries (the FastAPI route /dags/{dag_id}/dagRuns/{run_id}/taskInstances/{task_id}/xcomEntries/{xcom_key}); CVSS PR:L confirms low-privilege auth is mandatory. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and lean toward lower real-world urgency than the 8.8 CVSS suggests. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Airflow user with XCom edit rights (for example, a compromised DAG-author account or an insider) sends a PATCH request to /dags/{dag}/dagRuns/{run}/taskInstances/{task}/xcomEntries/{key} with a JSON body whose value contains a nested {"__classname__": "<gadget class>", "__var": {...}} structure. When a downstream task or operator subsequently reads that XCom, Airflow's serializer instantiates the attacker-chosen class with attacker-controlled fields, yielding code execution in the worker context. … |
| Remediation | Vendor-released patch: upgrade Apache Airflow to 3.2.2 or later, which adds the FORBIDDEN_XCOM_KEYS field validator to XComUpdateBody as shown in apache/airflow PR #65915 (https://github.com/apache/airflow/pull/65915); consult the ASF advisory at https://lists.apache.org/thread/g8dqykpf1p90tysq8tln4qtkqwb1038s. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Airflow deployments to identify versions 3.2.0-3.2.1 and review accounts with XCom update permissions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today
Destination URL
POC code from unknown sources may be malicious, contain backdoors, or be fake.
Always review and test exploit code in a safe, isolated environment (VM/sandbox).
Verify the source reputation and cross-reference with known databases (Exploit-DB, GitHub Security).