Apache Airflow fixes XCom-related code execution flaws in deserialization and example DAGs
Apache disclosed two low-severity code execution issues in Apache Airflow tied to its XCom mechanism and addressed them in Airflow 3.2.0. CVE-2026-33858 affects Airflow versions 3.1.8 before 3.2.0 and stems from unsafe deserialization in the XCom API, where legacy serialization keys __type and __var can bypass protections and let a DAG author craft payloads that execute arbitrary code in the webserver context. Apache said the flaw was rated low severity because DAG authors are already treated as highly trusted users.
Apache also disclosed CVE-2025-54550, a low-severity remote code execution issue involving the documented example_xcom DAG pattern. The vulnerable pattern read XCom values in a way that could allow a UI user with permission to modify XComs to trigger arbitrary code execution on a worker through a race condition. Apache said official releases were not directly affected because example DAGs are not meant to be enabled in production, but organizations that copied the documented approach could reproduce the weakness in their own deployments; updated documentation in Airflow 3.2.0 provides a safer example.
Timeline
Apr 17, 2026
Apache discloses CVE-2026-30898 for unsafe BashOperator documentation example
Apache publicly disclosed CVE-2026-30898 on the oss-sec mailing list, describing a low-severity issue in Airflow documentation that showed how to pass dag_run.conf into BashOperator in a way that could enable shell injection. Apache said Airflow versions before 3.2.0 were affected if users copied the example into their own DAGs, and advised reviewing deployments for adoption of the unsafe pattern.
Apr 15, 2026
Apache discloses CVE-2025-54550 tied to example_xcom DAG
Apache publicly disclosed CVE-2025-54550 on the oss-sec mailing list, describing a low-severity remote code execution issue caused by a race condition in the documented example_xcom DAG pattern. Apache noted that Airflow 3.2.0 documentation includes a more resilient example and credited Vincent55 Yang for reporting the issue.
Apr 15, 2026
Apache Airflow users exposed to unsafe XCom example pattern
Before Airflow 3.2.0, Apache Airflow documentation included an example_xcom DAG pattern that could allow arbitrary code execution on a worker via a race condition if a UI user with permission to modify XComs abused it. Apache said official releases were not affected because example DAGs are not meant to be enabled in production, but users who copied the pattern into their own deployments could reproduce the issue.
Apr 13, 2026
Apache discloses CVE-2026-33858 in oss-sec advisory
Apache publicly disclosed CVE-2026-33858 on the oss-sec mailing list, describing it as a low-severity unsafe deserialization vulnerability in Apache Airflow and recommending upgrade to version 3.2.0. The advisory credited wooseokdotkim for finding the issue and Amogh Desai for the remediation work.
Apr 13, 2026
Apache fixes legacy XCom deserialization bypass in Airflow 3.2.0
Apache addressed CVE-2026-33858 in Airflow 3.2.0, fixing an unsafe deserialization flaw in the XCom API where legacy serialization keys (__type/__var) could bypass protections and let DAG authors trigger arbitrary code execution in the webserver context. The issue affected Airflow versions 3.1.8 before 3.2.0.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Apache Airflow Flaws Enable Security Bypass and Multiple Additional Vulnerabilities
German authorities issued advisories for **Apache Airflow** covering a vulnerability that can bypass security measures and a separate notice for **multiple vulnerabilities** affecting the workflow orchestration platform. The alerts indicate that Airflow deployments may be exposed to weaknesses that undermine intended protections and introduce additional security risk across affected environments. Organizations using Apache Airflow should review the referenced advisories, identify affected versions, and prioritize vendor-recommended updates or mitigations. Because Airflow is commonly used to manage automated data pipelines and scheduled jobs, successful exploitation could weaken access controls or expose connected systems and workflows to further compromise.
1 weeks ago
Apache Airflow 3.0.x Exposed JWTs Through Logout and Logging Flaws
Apache disclosed two JWT-related vulnerabilities in Apache Airflow affecting versions `3.0.0` before `3.2.0`. The first, `CVE-2025-57735`, is a low-severity flaw in which logout did not invalidate authentication JWTs, leaving intercepted tokens usable after a user signed out. The second, `CVE-2026-31987`, is a moderate-severity issue that caused task JWTs to appear in logs, potentially exposing credentials to users who could then act as DAG authors. Apache said both issues are fixed in Airflow `3.2.0`, which adds token invalidation on logout and removes the logging exposure. Organizations running affected releases have been advised to upgrade to `3.2.0` or later, particularly where shared log access or concerns about token reuse could increase the risk of unauthorized access and privilege escalation.
2 weeks ago
OpenCode AI Coding Agent RCE via Unauthenticated Local Server and Web UI XSS
Security researchers disclosed two high-severity vulnerabilities in the open-source **OpenCode** AI coding agent that can allow **arbitrary command execution on a developer workstation** in drive-by scenarios. **CVE-2026-22812** stems from OpenCode automatically starting an **unauthenticated HTTP server** with **permissive CORS** (`Access-Control-Allow-Origin: *`), enabling any local process—or a malicious website via cross-origin requests—to invoke sensitive local API endpoints and execute shell commands with the user’s privileges. Separately, **CVE-2026-22813** is a **critical** issue in the OpenCode web UI where the markdown renderer can inject arbitrary HTML into the DOM without sanitization (no *DOMPurify* and no CSP), enabling JavaScript execution on the `http://localhost:4096` origin and subsequent access to local APIs that can spawn processes. Mitigations are available for both OpenCode issues: **CVE-2026-22812** is fixed in **OpenCode 1.0.216**, and **CVE-2026-22813** is fixed in **OpenCode 1.1.10**. Other items in the set describe unrelated vulnerabilities in different products (e.g., a command-injection flaw in an end-of-life VS Code extension, unsafe deserialization in *LlamaIndex*, ReDoS in *LangChain*, and various web app SQLi/XSS/access-control issues) and do not materially change the OpenCode risk picture; they should be tracked separately by affected-asset ownership and exposure.
1 months ago