BIT-airflow-2026-45360

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/airflow/BIT-airflow-2026-45360.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-airflow-2026-45360

Aliases

CVE-2026-45360
PYSEC-2026-186

Published

2026-06-05T05:40:45.314Z

Modified

2026-06-05T07:56:22.165854017Z

Summary

Apache Airflow: Arbitrary import in custom deadline-reference deserialization

Details

Apache Airflow's scheduler-side deadline-reference decoder (SerializedCustomReference.deserialize_reference) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — the default on single-host deployments where the DAG bundle is importable from the scheduler process — could embed a custom DeadlineReference whose serialized form named an attacker-controlled module path, causing the scheduler to import_string(...) and instantiate that class with a live SQLAlchemy session attached. Affects deployments where DAG-author code is less trusted than the scheduler process. Users are advised to upgrade to apache-airflow 3.2.2 or later.

Database specific

{
    "severity": "High",
    "cpes": [
        "cpe:2.3:a:apache:airflow:*:*:*:*:*:python:*:*"
    ]
}

References

Affected packages

Bitnami / airflow

Package

Name: airflow
Purl: pkg:bitnami/airflow

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.2.2

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/airflow/BIT-airflow-2026-45360.json"