CVE-2026-45360 - Vulnerability Details

Description

Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — the default on single-host deployments where the DAG bundle is importable from the scheduler process — could embed a custom `DeadlineReference` whose serialized form named an attacker-controlled module path, causing the scheduler to `import_string(...)` and instantiate that class with a live SQLAlchemy session attached. Affects deployments where DAG-author code is less trusted than the scheduler process. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.

Published: 2026-06-01

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in Apache Airflow’s scheduler-side deadline‑reference decoder. During deserialization of a custom reference it imports a class path supplied by a DAG author without any allowlist or plugin‑registry check. The imported class is instantiated with a live SQLAlchemy session, giving the attacker the ability to execute arbitrary code with the scheduler’s privileges. This flaw is a classic deserialization weakness (CWE‑502).

Affected Systems

Apache Software Foundation releases of Apache Airflow deployed on single‑host or shared‑scheduler setups are impacted. Versions prior to 3.2.2 lack the necessary guard and must be upgraded to release 3.2.2 or newer to apply the fix.

Risk and Exploitability

No EPSS score is reported, and the flaw is not listed in the CISA KEV catalog, so the exploitation probability cannot be quantified. The vulnerability requires that the attacker can supply DAG code that runs on the scheduler process, which is typically the case on single‑host deployments where the DAG bundle is importable. This implies a local or user‑controlled code injection vector that can lead to remote code execution if the attacker can influence DAG content. The impact is significant as it grants full control over the scheduler process and, by extension, the entire Airflow environment.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache Airflow

unaffected

Version	Status	Constraints
`0`	affected	< 3.2.2

No data.

Vendor Product Confidence Versions

Apache

Airflow

95%

Version	Status	Scheme	Platform
`[0,3.2.2)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest approved Airflow release (3.2.2 or later) to remove the unguarded deserialization path
Ensure that only trusted users can author or upload DAGs that are executed by the scheduler
Run the Airflow scheduler with least‑privilege permissions and consider isolating it in a sandbox or container to limit the scope of any potential compromise

Generated by OpenCVE AI on June 1, 2026 at 10:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/31/12
https://github.com/apache/airflow/pull/66737
https://lists.apache.org/thread/q227dghjwgfz8xsxrf2pwpz4wk43zm83

History

Mon, 01 Jun 2026 11:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache airflow
Vendors & Products		Apache Apache airflow

Mon, 01 Jun 2026 11:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/31/12

Mon, 01 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — the default on single-host deployments where the DAG bundle is importable from the scheduler process — could embed a custom `DeadlineReference` whose serialized form named an attacker-controlled module path, causing the scheduler to `import_string(...)` and instantiate that class with a live SQLAlchemy session attached. Affects deployments where DAG-author code is less trusted than the scheduler process. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
Title		Apache Airflow: Arbitrary import in custom deadline-reference deserialization
Weaknesses		CWE-502
References		https://github.com/apache/airflow/pull/66737 https://lists.apache.org/thread/q227dghjwgfz8xsxrf2pwpz4wk43zm83

Subscriptions

Apache Airflow

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-06-01T07:48:13.287Z

Updated: 2026-06-01T09:52:42.733Z

Reserved: 2026-05-11T22:40:03.868Z

Link: CVE-2026-45360

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-01T09:16:19.480

Modified: 2026-06-01T11:16:25.597

Link: CVE-2026-45360

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-01T11:45:06Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object