Arbitrary Code Execution in Apache Airflow by Authorized Users
CVE-2026-33858

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 13 April 2026

What is CVE-2026-33858?

A vulnerability exists in Apache Airflow that allows Dag Authors, who typically should not have the ability to execute code in the webserver context, to craft XCom payloads that cause the webserver to execute arbitrary code. This elevation of privilege could potentially lead to unauthorized actions if exploited. Users are encouraged to update to Apache Airflow version 3.2.0 to mitigate the risks associated with this issue.

Affected Version(s)

Apache Airflow 3.1.8 < 3.2.0

References

https://github.com/apache/airflow/pull/64148

patch

https://lists.apache.org/thread/1npt3o2x81s0gw9tmfcv4n7p1...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 13, 2026
Vulnerability Reserved
Mar 24, 2026

Credit

wooseokdotkim

Amogh Desai

CVE-2026-33858 Data

JSON