Remote Code Execution Vulnerability in Apache Airflow Scheduler
CVE-2026-33264

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
7 July 2026

What is CVE-2026-33264?

A vulnerability exists in the Apache Airflow Scheduler that allows for unauthorized execution of code due to a flaw in the BaseSerialization.deserialize() method. This issue arises when the Scheduler or API Server loads a serialized Directed Acyclic Graph (DAG), allowing a malicious actor to use an untrusted class path. By exploiting this bug, an attacker can embed harmful triggers within a DAG, leading to remote code execution within the Scheduler process. Users are strongly advised to update to apache-airflow version 3.3.0 or later to mitigate this risk. Additionally, implementations where trust in DAG authors is limited should configure the allowed_deserialization_classes setting to maintain a tight allowlist for enhanced security.

Affected Version(s)

Apache Airflow 0 < 3.3.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ziyu Lin
bugbunny.ai
intadd (GitHub handle: @intadd)
K
Amogh Desai (@amoghrajesh)
Jarek Potiuk
.