CVE-2026-42359
Remote Code Execution in Apache Airflow via XCom PATCH Endpoint
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | apache_airflow | From 3.2.2 (inc) |
| apache | airflow | From 3.2.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Apache Airflow's XCom PATCH endpoint (`PATCH /api/v2/xcomEntries/{key}`). It allows an authenticated user with XCom write permission on a DAG to set XCom entries using reserved key names that are supposed to be forbidden. While the POST endpoint already validated and blocked these reserved keys, the PATCH endpoint did not, creating a security gap.
Because the PATCH endpoint accepted serialized payloads that the triggerer's deserializer treats as executable code, this flaw could lead to remote code execution (RCE) on the triggerer when the affected task next deferred. This means an attacker with the right permissions could execute arbitrary code on the system.
This vulnerability is a bypass of a previous fix (CVE-2026-33858) that only covered the POST endpoint. To fully fix the issue, users need to upgrade to Apache Airflow version 3.2.2 or later, which adds validation to the PATCH endpoint as well.
How can this vulnerability impact me? :
If you have deployments of Apache Airflow where untrusted or less trusted users have XCom write permission on DAGs that defer to the triggerer, this vulnerability can allow those users to execute arbitrary code remotely on the system running the triggerer.
This could lead to unauthorized control over the Airflow environment, potentially compromising the integrity, confidentiality, and availability of your workflows and underlying infrastructure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the Apache Airflow deployment allows authenticated users with XCom write permissions to use the PATCH /api/v2/xcomEntries/{key} endpoint to set XCom entries with reserved keys such as return_value.
Since the vulnerability is related to the acceptance of forbidden keys in the PATCH endpoint payload, you can monitor or log API requests to this endpoint and inspect if any payloads contain reserved keys like __classname__, __type, __var, __data__, or return_value.
Suggested commands or methods include:
- Use network traffic capture tools (e.g., tcpdump, Wireshark) to capture HTTP PATCH requests to /api/v2/xcomEntries/* and analyze payloads for forbidden keys.
- Query Airflow API logs or audit logs for PATCH requests containing reserved keys in the JSON body.
- Use curl or similar tools to manually test the PATCH endpoint with payloads containing reserved keys to verify if the system rejects them (e.g., expecting HTTP 422 error).
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Apache Airflow to version 3.2.2 or later, which includes the fix that adds validation for forbidden XCom keys on the PATCH endpoint.
This fix ensures that the PATCH /api/v2/xcomEntries/{key} endpoint rejects payloads containing reserved keys with an HTTP 422 error, consistent with the POST endpoint behavior.
Additionally, restrict XCom write permissions to trusted users only, especially in environments where tasks defer to the triggerer, to reduce the risk of exploitation.