Code Execution Vulnerability in Apache Airflow by Apache Software Foundation
CVE-2026-25917

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 18 April 2026

What is CVE-2026-25917?

In Apache Airflow, a vulnerability exists that allows Dag Authors, trusted users typically not authorized to execute code in a webserver context, to craft payloads that could lead to arbitrary code execution. This poses a significant risk as Dag Authors already have elevated privileges. Users should upgrade to Apache Airflow version 3.2.0 or later to mitigate the vulnerability and enhance their application's security. For more details, refer to the patch in Apache Airflow PR #61641 and the vendor advisory.

Affected Version(s)

Apache Airflow 0 < 3.2.0

References

https://github.com/apache/airflow/pull/61641

patch

https://lists.apache.org/thread/6whgpkqbh12rvpfmvcg8b0vwl...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 18, 2026
Vulnerability Reserved
Feb 9, 2026

Credit

Mahammad Huseynkhanli

Amogh Desai

CVE-2026-25917 Data

JSON