CVE-2026-25917
Arbitrary Code Execution via XCom Payload in Apache Airflow
Publication date: 2026-04-18
Last updated on: 2026-04-22
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | airflow | to 3.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability allows Dag Authors, who normally should not be able to execute code in the webserver context, to craft an XCom payload that causes the webserver to execute arbitrary code.
Because Dag Authors are already highly trusted users, the severity of this issue is considered low.
How can this vulnerability impact me? :
The impact of this vulnerability is that a Dag Author could execute arbitrary code in the webserver context, potentially leading to unauthorized actions or changes within the webserver environment.
However, since Dag Authors are already highly trusted, the overall severity and impact are considered low.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.