Apache · Apache Airflow · CVE-2026-25917
**Name of the Vulnerable Software and Affected Versions**
Apache Airflow versions prior to 3.2.0
**Description**
Dag Authors can craft an XCom payload that allows the webserver to execute arbitrary code, bypassing the restriction that normally prevents them from executing code in the webserver context.
**Recommendations**
Upgrade to Apache Airflow 3.2.0.