Remote Code Execution Vulnerability in Apache Airflow Scheduler
CVE-2026-33264
What is CVE-2026-33264?
A vulnerability exists in the Apache Airflow Scheduler that allows for unauthorized execution of code due to a flaw in the BaseSerialization.deserialize() method. This issue arises when the Scheduler or API Server loads a serialized Directed Acyclic Graph (DAG), allowing a malicious actor to use an untrusted class path. By exploiting this bug, an attacker can embed harmful triggers within a DAG, leading to remote code execution within the Scheduler process. Users are strongly advised to update to apache-airflow version 3.3.0 or later to mitigate this risk. Additionally, implementations where trust in DAG authors is limited should configure the allowed_deserialization_classes setting to maintain a tight allowlist for enhanced security.
Affected Version(s)
Apache Airflow 0 < 3.3.0