CVE-2026-33264
Received Received - Intake

Remote Code Execution in Apache Airflow Scheduler

Vulnerability report for CVE-2026-33264, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: Apache Software Foundation

Description

A bug in `BaseSerialization.deserialize()` allowed unrestricted `import_string()` of attacker-controlled class paths when the Scheduler / API Server loaded a serialized DAG: a DAG author could embed a malicious trigger into a DAG to gain remote code execution on the API Server / Scheduler process, crossing the Airflow security boundary that DAG-author code must never execute in those processes. Users are advised to upgrade to `apache-airflow` 3.3.0 or later. As a defense-in-depth mitigation, deployments where DAG-author trust is limited can restrict the `[core] allowed_deserialization_classes` config to a narrow allowlist.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apache airflow From 3.3.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Apache Airflow's BaseSerialization.deserialize() method, which allowed unrestricted import_string() of attacker-controlled class paths when the Scheduler or API Server loaded a serialized DAG.

A DAG author could embed a malicious trigger into a DAG, enabling remote code execution on the API Server or Scheduler process. This crosses the Airflow security boundary because DAG-author code should never execute in those processes.

The root cause was a dead code path related to the serialization of BaseTrigger instances that was no longer needed but still present, allowing unsafe deserialization.

The vulnerability was fixed by removing this dead code path and restricting deserialization to trusted classes only.

Impact Analysis

This vulnerability can allow an attacker who can author DAGs to execute arbitrary code remotely on the Airflow API Server or Scheduler processes.

Such remote code execution compromises the security boundary of Airflow, potentially leading to full system compromise, data breaches, or unauthorized control over Airflow infrastructure.

It can also lead to instability or denial of service if malicious code disrupts normal operations.

Detection Guidance

This vulnerability involves the deserialization of attacker-controlled class paths in Apache Airflow's Scheduler and API Server when loading serialized DAGs. Detection would involve identifying if your Airflow deployment is running a vulnerable version prior to 3.3.0 and if serialized DAGs are being loaded without restrictions on deserialization classes.

Since the vulnerability is related to deserialization of DAGs and triggers, you can check your Airflow version with the command:

  • airflow version

To detect if unsafe deserialization is possible, review your Airflow configuration for the `[core] allowed_deserialization_classes` setting. If it is not set or is too permissive, your system may be vulnerable.

Additionally, monitoring logs for suspicious deserialization activity or unexpected imports during DAG loading could help detect exploitation attempts, but no specific commands for this are provided in the resources.

Mitigation Strategies

The primary mitigation step is to upgrade Apache Airflow to version 3.3.0 or later, where this vulnerability has been fixed.

As a defense-in-depth measure, if you cannot upgrade immediately, restrict the `[core] allowed_deserialization_classes` configuration to a narrow allowlist of trusted classes to limit deserialization to safe objects only.

Removing or restricting the deserialization of triggers and related serialized DAG components in the Scheduler and API Server reduces the attack surface, as implemented in the fixes described in the resources.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33264. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart