Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attacker must have DAG-author privileges (PR:L) rather than none; code path is low-complexity; S:C because DAG-author code escapes its zone to execute in the separately-trusted Scheduler/API Server, with full C/I/A.
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6Blast Radius
ecosystem impact- 454 pypi packages depend on apache-airflow (429 direct, 30 indirect)
Ecosystem-wide dependent count for version 3.3.0.
DescriptionCVE.org
A bug in BaseSerialization.deserialize() allowed unrestricted import_string() of attacker-controlled class paths when the Scheduler / API Server loaded a serialized DAG: a DAG author could embed a malicious trigger into a DAG to gain remote code execution on the API Server / Scheduler process, crossing the Airflow security boundary that DAG-author code must never execute in those processes. Users are advised to upgrade to apache-airflow 3.3.0 or later. As a defense-in-depth mitigation, deployments where DAG-author trust is limited can restrict the [core] allowed_deserialization_classes config to a narrow allowlist.
Articles & Coverage 1
AnalysisAI
Remote code execution in Apache Airflow before 3.3.0 lets a DAG author embed a malicious trigger whose attacker-controlled class path is loaded via an unrestricted import_string() when the Scheduler or API Server deserializes the serialized DAG, executing arbitrary code in those privileged processes and breaking the core Airflow boundary that DAG-author code must never run in the Scheduler/API Server. Reported by Apache with a fix in 3.3.0, it currently has no public exploit identified and a low EPSS of 0.69% (48th percentile), and it is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to be able to author or submit a DAG to the target Airflow deployment and to embed a malicious trigger whose kwargs carry an attacker-chosen class path; the payload fires when the Scheduler or API Server deserializes that serialized DAG via the unrestricted BaseSerialization.deserialize()/import_string() path in versions before 3.3.0. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 vector is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), implying trivial unauthenticated network RCE, but this conflicts with the description, which states the attacker must be a DAG author who embeds a malicious trigger - a semi-trusted role, not an anonymous remote actor. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A user with DAG-authoring access to a shared Airflow instance writes a DAG containing a deferred task whose trigger kwargs reference an attacker-controlled dotted class path. When the Scheduler or API Server loads and deserializes that serialized DAG, import_string() imports and instantiates the malicious class, executing arbitrary code in the privileged process. … |
| Remediation | Vendor-released patch: upgrade apache-airflow to 3.3.0 or later, which removes the eager BaseSerialization.deserialize() of stored trigger/next kwargs in the Scheduler and API Server (upstream fixes in https://github.com/apache/airflow/pull/66002 and https://github.com/apache/airflow/pull/68528; see the advisory at https://lists.apache.org/thread/otvdw8qt2y7xy2n5nq9xby9ky4rf5ltj). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Airflow deployments and versions; audit which personnel and external integrations hold DAG submission access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Apache Airflow
View allCommand injection in Apache Airflow's BashOperator documentation example allows authenticated attackers to escalate priv
The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xco
CVE-2026-30911 is a security vulnerability (CVSS 8.1) that allows any authenticated task instance. High severity vulnera
Apache Airflow 3.0.0 through 3.1.x exposes JWT authentication tokens in application logs, allowing any authenticated UI
CVE-2026-28779 is a security vulnerability (CVSS 7.5) that allows any application co-hosted under the same domain. High
Apache Airflow 3.0.x prior to 3.2.0 allows remote unauthenticated attackers to trigger unauthorized DAG (Directed Acycli
{dag_id}` endpoint and its UI equivalent perform authorization only on the requested DAG identifier, not on the full fil
Apache Airflow REST API exposes provider secrets in plaintext through the task-instance detail and list endpoints when t
Sensitive credential exposure in Apache Airflow's Bulk Variables API allows authenticated users with bulk Variable read
Apache Airflow's Config API leaks plaintext secrets-backend credentials to authenticated users with Config read permissi
CVE-2026-26929 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management proce
Incomplete authorization filtering in Apache Airflow's `/ui/dependencies` scheduling graph endpoint exposes restricted D
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42030
GHSA-2943-9672-r45w