CVE-2026-25917
Received Received - Intake

Arbitrary Code Execution via XCom Payload in Apache Airflow

Vulnerability report for CVE-2026-25917, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-18

Last updated on: 2026-04-22

Assigner: Apache Software Foundation

Description

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-18
Last Modified
2026-04-22
Generated
2026-07-06
AI Q&A
2026-04-18
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apache airflow to 3.2.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability allows Dag Authors, who normally should not be able to execute code in the webserver context, to craft an XCom payload that causes the webserver to execute arbitrary code.

Because Dag Authors are already highly trusted users, the severity of this issue is considered low.

Impact Analysis

The impact of this vulnerability is that a Dag Author could execute arbitrary code in the webserver context, potentially leading to unauthorized actions or changes within the webserver environment.

However, since Dag Authors are already highly trusted, the overall severity and impact are considered low.

Mitigation Strategies

Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25917. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart