Remote Code Execution Vulnerability in Apache Airflow by Apache
CVE-2026-42359

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-42359?

A vulnerability has been identified in Apache Airflow that exploits the PATCH endpoint for XCom entries, allowing authenticated users with appropriate permissions to manipulate reserved key names. This vulnerability enables remote code execution on the task triggerer when specific payload shapes are submitted, circumventing previously established safeguards. Users who may have already addressed related issues should ensure they are using version 3.2.2 or later to fully remediate this risk. Affected deployments include scenarios where untrusted users possess XCom write permissions on Dags, emphasizing the need for vigilant access controls.

Affected Version(s)

Apache Airflow 3.2.0 < 3.2.2

References

https://github.com/apache/airflow/pull/65915

patch

https://lists.apache.org/thread/g8dqykpf1p90tysq8tln4qtkq...

vendor-advisory

https://www.cve.org/CVERecord?id=CVE-2026-33858

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
Apr 26, 2026

Credit

Jeff Vier (`@boinger`); Izat (Anisto Mejin) — placeholders; receipt-of-confirmation replies ask each reporter to confirm preferred credit form

Venkatraman Kumar (r3dw0lfsec), Securin

Jarek Potiuk

CVE-2026-42359 Data

JSON