Apache Airflow Vulnerable to Deserialization of Untrusted Data
High severity
GitHub Reviewed
Published
Jun 1, 2026
to the GitHub Advisory Database
•
Updated Jul 9, 2026
Description
Published by the National Vulnerability Database
Jun 1, 2026
Published to the GitHub Advisory Database
Jun 1, 2026
Reviewed
Jul 9, 2026
Last updated
Jul 9, 2026
Apache Airflow's scheduler-side deadline-reference decoder (
SerializedCustomReference.deserialize_reference) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — the default on single-host deployments where the DAG bundle is importable from the scheduler process — could embed a customDeadlineReferencewhose serialized form named an attacker-controlled module path, causing the scheduler toimport_string(...)and instantiate that class with a live SQLAlchemy session attached. Affects deployments where DAG-author code is less trusted than the scheduler process. Users are advised to upgrade toapache-airflow3.2.2 or later.References