PYSEC-2026-20

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2026-20.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2026-20

Aliases

Published

2026-04-13T15:17:33.343Z

Modified

2026-06-10T17:00:26.858723506Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.

Users are recommended to upgrade to Apache Airflow 3.2.0, which resolves this issue.

References

Affected packages

PyPI / apache-airflow

Package

Name: apache-airflow; View open source insights on deps.dev
Purl: pkg:pypi/apache-airflow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.8

Fixed

3.2.0

Affected versions

3.*

3.1.8

3.2.0b1

3.2.0b2

3.2.0rc1

3.2.0rc2

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2026-20.yaml"