Arbitrary Class Path Import Vulnerability in Apache Airflow Scheduler
CVE-2026-45360

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-45360?

A vulnerability in Apache Airflow allows a DAG author to exploit the scheduler-side deadline-reference decoder. By supplying a serialized form of a custom DeadlineReference, an attacker can specify an arbitrary class path that is imported without appropriate restrictions. This scenario is particularly dangerous in deployments where DAG-author code is less trusted than the scheduler process itself. The issue arises from the lack of an allowlist or plugin-registry gate, enabling malicious class instantiation with an active SQLAlchemy session attached. Users of Apache Airflow should upgrade to version 3.2.2 or later to mitigate this risk.

Affected Version(s)

Apache Airflow 0 < 3.2.2

References

https://github.com/apache/airflow/pull/66737

patch

https://lists.apache.org/thread/q227dghjwgfz8xsxrf2pwpz4w...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
May 11, 2026

Credit

Jarek Potiuk

CVE-2026-45360 Data

JSON