CVE-2026-45360
Arbitrary Code Execution in Apache Airflow Scheduler
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | apache_airflow | 3.2.2 |
| apache | apache_airflow | From 3.2.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how CVE-2026-45360 impacts compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability in Apache Airflow involves the scheduler-side deadline-reference decoder, which previously imported and instantiated arbitrary class paths from DAG-author-controlled serialized state without any allowlist or plugin registry gate.
A DAG author could embed a custom DeadlineReference whose serialized form named an attacker-controlled module path, causing the scheduler to import and instantiate that class with a live SQLAlchemy session attached.
This means that if the DAG-author code is less trusted than the scheduler process, an attacker could execute arbitrary code within the scheduler by exploiting this flaw.
The vulnerability was addressed by requiring custom deadline references to be registered via plugins instead of being defined inline in DAGs, replacing the unsafe import_string() method with a plugin-based registry system.
How can this vulnerability impact me? :
This vulnerability can allow an attacker who can control DAG-author code to execute arbitrary code within the Airflow scheduler process.
Since the scheduler process may have elevated privileges and access to live SQLAlchemy sessions, this could lead to unauthorized access, data manipulation, or disruption of workflow scheduling.
Deployments where DAG-author code is less trusted than the scheduler process are particularly at risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the scheduler-side deserialization of arbitrary class paths from DAG-author-controlled serialized state in Apache Airflow. Detection would involve inspecting DAGs for usage of custom DeadlineReference classes defined inline rather than via the new plugin registry system.
Specifically, you can check your DAG files for any custom DeadlineReference definitions that are not registered as plugins. Since the vulnerability arises from the scheduler importing attacker-controlled modules via import_string(), monitoring or logging import_string calls or unexpected module imports in the scheduler process could help detect exploitation attempts.
However, no explicit detection commands or network signatures are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Apache Airflow to version 3.2.2 or later, where this vulnerability is fixed by requiring custom deadline references to be registered via plugins instead of being defined inline in DAGs.
Additionally, review your DAGs for any custom DeadlineReference classes defined inline and migrate them to use the new plugin-based registry system by implementing the `deadline_references` attribute in the AirflowPlugin class.
This approach prevents the scheduler from importing arbitrary attacker-controlled modules and instantiating them with live SQLAlchemy sessions.