GHSA-mc4f-r875-v87w

Source

https://github.com/advisories/GHSA-mc4f-r875-v87w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mc4f-r875-v87w/GHSA-mc4f-r875-v87w.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mc4f-r875-v87w

Aliases

BIT-airflow-2026-33858
CVE-2026-33858

Downstream

MINI-97fw-3337-7rq4

Published

2026-04-13T15:31:43Z

Modified

2026-04-17T04:56:52.922869761Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API

Details

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.

Users are recommended to upgrade to Apache Airflow 3.2.0, which resolves this issue.

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2026-04-13T15:17:33Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "github_reviewed_at": "2026-04-14T23:17:35Z",
    "severity": "HIGH"
}

References

Affected packages

PyPI / apache-airflow

Package

Name: apache-airflow; View open source insights on deps.dev
Purl: pkg:pypi/apache-airflow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.8

Fixed

3.2.0

Affected versions

3.*

3.1.8

3.2.0b1

3.2.0b2

3.2.0rc1

3.2.0rc2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mc4f-r875-v87w/GHSA-mc4f-r875-v87w.json"