Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <e7923a9f-c4de-2d86-6098-debe70249584@apache.org>
Date: Mon, 13 Apr 2026 14:21:22 +0000
From: Rahul Vats <rahulvats@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-33858: Apache Airflow: Unsafe Deserialization via Legacy
 Serialization Keys (__type/__var) Bypass in XCom API 

Severity: low 

Affected versions:

- Apache Airflow (apache-airflow) 3.1.8 before 3.2.0

Description:

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.


Users are recommended to upgrade to Apache Airflow 3.2.0, which resolves this issue.

Credit:

wooseokdotkim (finder)
Amogh Desai (remediation developer)

References:

https://github.com/apache/airflow/pull/64148
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-33858

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.