CVE-2026-25917

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.2.0

Description Dag Authors can craft an XCom payload that allows the webserver to execute arbitrary code, bypassing the restriction that normally prevents them from executing code in the webserver context.

Recommendations Upgrade to Apache Airflow 3.2.0.

Fix

DoS

RCE

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

BIT-AIRFLOW-2026-25917

CVE-2026-25917

GHSA-6FFJ-2WG2-W45J

PYSEC-2026-13

Affected Products

Apache Airflow

CVE-2026-25917

Weakness Enumeration

Related Identifiers

Affected Products

References · 14