CVE-2026-25917
Received Received - Intake
Arbitrary Code Execution via XCom Payload in Apache Airflow

Publication date: 2026-04-18

Last updated on: 2026-04-22

Assigner: Apache Software Foundation

Description
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-18
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25917
EUVD
EUVD-2026-23658
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache airflow to 3.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability allows Dag Authors, who normally should not be able to execute code in the webserver context, to craft an XCom payload that causes the webserver to execute arbitrary code.

Because Dag Authors are already highly trusted users, the severity of this issue is considered low.

Impact Analysis

The impact of this vulnerability is that a Dag Author could execute arbitrary code in the webserver context, potentially leading to unauthorized actions or changes within the webserver environment.

However, since Dag Authors are already highly trusted, the overall severity and impact are considered low.

Mitigation Strategies

Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25917. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart