Description
A bug in Apache Airflow's XCom PATCH endpoint `PATCH /api/v2/xcomEntries/{key}` allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names (e.g. `return_value`) that the matching POST endpoint already validated against `FORBIDDEN_XCOM_KEYS`. The endpoint also accepted serialized payload shapes the triggerer's deserializer treats as code; combined, this allowed RCE on the triggerer when the affected task next deferred. Affects deployments where untrusted users have XCom write permission on Dags that defer to the triggerer. This is a fix-bypass of CVE-2026-33858: PR #64148 added the `FORBIDDEN_XCOM_KEYS` validator only on the POST/set path; the PATCH path was not covered. Users who already upgraded for CVE-2026-33858 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the PATCH-path bypass.
Published: 2026-06-01
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A bug in the XCom PATCH endpoint PATCH /api/v2/xcomEntries/{key} allows an authenticated UI/API user with XCom write permission on a DAG to set XCom entries under reserved key names such as return_value that are normally blocked when created via the POST endpoint. Because the PATCH endpoint does not enforce the FORBIDDEN_XCOM_KEYS validator, the attacker can inject a payload that the triggerer deserializes as code. When the affected task next defers to the triggerer, the serialized payload is executed, giving the attacker remote code execution on the worker that runs the triggerer.

Affected Systems

Apache Airflow deployments where untrusted or externally delegated users are granted XCom write permissions on DAGs that later defer to the triggerer. The vulnerability exists in all versions before apache‑airflow 3.2.2; users who previously applied the fix for CVE‑2026‑33858 must also upgrade to 3.2.2 or later to cover the PATCH‑path bypass.

Risk and Exploitability

The exploit requires the attacker to be an authenticated UI/API user with XCom write access, so the scope is limited to authorized accounts. However, once the malicious XCom entry is stored, any task that defers to the triggerer will deserialize the payload and execute arbitrary code, leading to full compromise of the Airflow worker host. The CVSS score of 8.8 indicates high severity. The EPSS score is < 1%, and the vulnerability is not listed in the KEV catalog, but the potential impact is high due to the remote code execution capability. The lack of a validated REST endpoint path makes detection difficult, so monitoring of PATCH operations and XCom key usage is advised.

Generated by OpenCVE AI on June 2, 2026 at 15:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade apache‑airflow to 3.2.2 or later
  • Restrict XCom write permissions to trusted users only on DAGs that defer to the triggerer
  • If an upgrade cannot be performed immediately, disable or block the XCom PATCH endpoint and monitor for untrusted XCom writes

Generated by OpenCVE AI on June 2, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

Tue, 02 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Mon, 01 Jun 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow
Vendors & Products Apache
Apache airflow

Mon, 01 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description A bug in Apache Airflow's XCom PATCH endpoint `PATCH /api/v2/xcomEntries/{key}` allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names (e.g. `return_value`) that the matching POST endpoint already validated against `FORBIDDEN_XCOM_KEYS`. The endpoint also accepted serialized payload shapes the triggerer's deserializer treats as code; combined, this allowed RCE on the triggerer when the affected task next deferred. Affects deployments where untrusted users have XCom write permission on Dags that defer to the triggerer. This is a fix-bypass of CVE-2026-33858: PR #64148 added the `FORBIDDEN_XCOM_KEYS` validator only on the POST/set path; the PATCH path was not covered. Users who already upgraded for CVE-2026-33858 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the PATCH-path bypass.
Title Apache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validator
Weaknesses CWE-502
References

Subscriptions

Apache Airflow
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-02T13:03:40.834Z

Reserved: 2026-04-26T19:37:56.165Z

Link: CVE-2026-42359

cve-icon Vulnrichment

Updated: 2026-06-02T13:03:34.590Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T09:16:18.907

Modified: 2026-06-03T02:07:22.770

Link: CVE-2026-42359

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T15:30:11Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data