CVE-2026-42359
Analyzed Analyzed - Analysis Complete
Remote Code Execution in Apache Airflow via XCom PATCH Endpoint

Publication date: 2026-06-01

Last updated on: 2026-06-03

Assigner: Apache Software Foundation

Description
A bug in Apache Airflow's XCom PATCH endpoint `PATCH /api/v2/xcomEntries/{key}` allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names (e.g. `return_value`) that the matching POST endpoint already validated against `FORBIDDEN_XCOM_KEYS`. The endpoint also accepted serialized payload shapes the triggerer's deserializer treats as code; combined, this allowed RCE on the triggerer when the affected task next deferred. Affects deployments where untrusted users have XCom write permission on Dags that defer to the triggerer. This is a fix-bypass of CVE-2026-33858: PR #64148 added the `FORBIDDEN_XCOM_KEYS` validator only on the POST/set path; the PATCH path was not covered. Users who already upgraded for CVE-2026-33858 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the PATCH-path bypass.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-03
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-42359
EUVD
EUVD-2026-33588
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache airflow From 3.2.0 (inc) to 3.2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Apache Airflow's XCom PATCH endpoint (`PATCH /api/v2/xcomEntries/{key}`). It allows an authenticated user with XCom write permission on a DAG to set XCom entries using reserved key names that are supposed to be forbidden. While the POST endpoint already validated and blocked these reserved keys, the PATCH endpoint did not, creating a security gap.

Because the PATCH endpoint accepted serialized payloads that the triggerer's deserializer treats as executable code, this flaw could lead to remote code execution (RCE) on the triggerer when the affected task next deferred. This means an attacker with the right permissions could execute arbitrary code on the system.

This vulnerability is a bypass of a previous fix (CVE-2026-33858) that only covered the POST endpoint. To fully fix the issue, users need to upgrade to Apache Airflow version 3.2.2 or later, which adds validation to the PATCH endpoint as well.

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

If you have deployments of Apache Airflow where untrusted or less trusted users have XCom write permission on DAGs that defer to the triggerer, this vulnerability can allow those users to execute arbitrary code remotely on the system running the triggerer.

This could lead to unauthorized control over the Airflow environment, potentially compromising the integrity, confidentiality, and availability of your workflows and underlying infrastructure.

Detection Guidance

Detection of this vulnerability involves identifying if the Apache Airflow deployment allows authenticated users with XCom write permissions to use the PATCH /api/v2/xcomEntries/{key} endpoint to set XCom entries with reserved keys such as return_value.

Since the vulnerability is related to the acceptance of forbidden keys in the PATCH endpoint payload, you can monitor or log API requests to this endpoint and inspect if any payloads contain reserved keys like __classname__, __type, __var, __data__, or return_value.

Suggested commands or methods include:

  • Use network traffic capture tools (e.g., tcpdump, Wireshark) to capture HTTP PATCH requests to /api/v2/xcomEntries/* and analyze payloads for forbidden keys.
  • Query Airflow API logs or audit logs for PATCH requests containing reserved keys in the JSON body.
  • Use curl or similar tools to manually test the PATCH endpoint with payloads containing reserved keys to verify if the system rejects them (e.g., expecting HTTP 422 error).
Mitigation Strategies

The immediate mitigation step is to upgrade Apache Airflow to version 3.2.2 or later, which includes the fix that adds validation for forbidden XCom keys on the PATCH endpoint.

This fix ensures that the PATCH /api/v2/xcomEntries/{key} endpoint rejects payloads containing reserved keys with an HTTP 422 error, consistent with the POST endpoint behavior.

Additionally, restrict XCom write permissions to trusted users only, especially in environments where tasks defer to the triggerer, to reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42359. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart