Description
Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — the default on single-host deployments where the DAG bundle is importable from the scheduler process — could embed a custom `DeadlineReference` whose serialized form named an attacker-controlled module path, causing the scheduler to `import_string(...)` and instantiate that class with a live SQLAlchemy session attached. Affects deployments where DAG-author code is less trusted than the scheduler process. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
Published: 2026-06-01
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Apache Airflow’s scheduler‑side deadline‑reference decoder. During deserialization of a custom reference it imports a class path supplied by a DAG author without any allowlist or plugin‑registry check. The imported class is instantiated with a live SQLAlchemy session, giving the attacker the ability to execute arbitrary code with the scheduler’s privileges. This flaw is a classic deserialization weakness (CWE‑502).

Affected Systems

Apache Software Foundation releases of Apache Airflow deployed on single‑host or shared‑scheduler setups are impacted. Versions prior to 3.2.2 lack the necessary guard and must be upgraded to release 3.2.2 or newer to apply the fix.

Risk and Exploitability

The CVSS score of 7.3 indicates high severity. The EPSS score is <1%, suggesting a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The vulnerability requires that the attacker can supply DAG code that runs on the scheduler process, which is typically the case on single‑host deployments where the DAG bundle is importable. This implies a local or user‑controlled code injection vector that can lead to remote code execution if the attacker can influence DAG content. The impact is significant as it grants full control over the scheduler process and, by extension, the entire Airflow environment.

Generated by OpenCVE AI on June 2, 2026 at 18:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest approved Airflow release (3.2.2 or later) to remove the unguarded deserialization path
  • Ensure that only trusted users can author or upload DAGs that are executed by the scheduler
  • Run the Airflow scheduler with least‑privilege permissions and consider isolating it in a sandbox or container to limit the scope of any potential compromise

Generated by OpenCVE AI on June 2, 2026 at 18:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

Tue, 02 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Mon, 01 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow
Vendors & Products Apache
Apache airflow

Mon, 01 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
References

Mon, 01 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — the default on single-host deployments where the DAG bundle is importable from the scheduler process — could embed a custom `DeadlineReference` whose serialized form named an attacker-controlled module path, causing the scheduler to `import_string(...)` and instantiate that class with a live SQLAlchemy session attached. Affects deployments where DAG-author code is less trusted than the scheduler process. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
Title Apache Airflow: Arbitrary import in custom deadline-reference deserialization
Weaknesses CWE-502
References

Subscriptions

Apache Airflow
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-02T15:48:34.296Z

Reserved: 2026-05-11T22:40:03.868Z

Link: CVE-2026-45360

cve-icon Vulnrichment

Updated: 2026-06-02T15:48:30.343Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T09:16:19.480

Modified: 2026-06-03T02:06:59.383

Link: CVE-2026-45360

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T18:45:06Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data