Behoben in
3.2.0
3.2.0
CVE-2026-25917 describes a vulnerability in Apache Airflow where Dag Authors, typically trusted users, can exploit crafted XCom payloads to achieve arbitrary code execution within the webserver context. This vulnerability affects versions 0.0.0 through 3.2.0 of Apache Airflow. The issue is classified as low severity and can be resolved by upgrading to version 3.2.0.
An attacker exploiting this vulnerability could leverage a malicious Dag Author account to inject arbitrary code into the Airflow webserver. This code execution could lead to a range of impacts, including data exfiltration, modification of Airflow configurations, or even complete compromise of the Airflow infrastructure. The blast radius is limited to the resources accessible by the webserver process and the privileges of the user running the Airflow webserver. While the severity is rated as low, the potential for unauthorized code execution within a critical data processing pipeline warrants immediate attention.
CVE-2026-25917 was publicly disclosed on 2026-04-18. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog. Given the low severity rating and lack of public exploits, the probability of active exploitation is currently considered low.
Organizations heavily reliant on Apache Airflow for orchestrating complex workflows, particularly those with a large number of Dag Authors or those who grant Dag Authors extensive permissions, are at increased risk. Environments where sensitive data is processed or stored within Airflow DAGs are also particularly vulnerable.
• python / airflow: Inspect XCom payloads for suspicious code patterns using Airflow's logging and monitoring tools. • python / airflow: Monitor Airflow webserver logs for unusual process executions or errors related to XCom processing. • python / airflow: Review Dag Author permissions and restrict access to sensitive resources. • python / airflow: Use Airflow's built-in security features, such as role-based access control (RBAC), to limit the privileges of Dag Authors.
disclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
The primary mitigation for CVE-2026-25917 is to upgrade Apache Airflow to version 3.2.0 or later, which includes the fix. If upgrading is not immediately feasible, consider implementing stricter access controls for Dag Authors, limiting their ability to create or modify DAGs. Review and audit existing DAGs for suspicious XCom payloads. While a direct WAF rule is unlikely to be effective, monitoring webserver logs for unusual code execution patterns could provide early detection. After upgrading, confirm the fix by attempting to trigger an XCom with a crafted payload and verifying that it is properly sanitized.
Aktualisieren Sie Apache Airflow auf Version 3.2.0 oder höher, um die Schwachstelle zu mindern. Dieses Update behebt die Art und Weise, wie XCom deserialisiert werden, und verhindert so die Ausführung von beliebigen Codes durch bösartige Dag Authors.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-25917 is a low-severity vulnerability in Apache Airflow versions 0.0.0–3.2.0 that allows a malicious Dag Author to execute arbitrary code within the webserver context through crafted XCom payloads.
You are affected if you are running Apache Airflow versions 0.0.0 through 3.2.0 and have Dag Authors with sufficient privileges to craft and execute XCom payloads.
Upgrade Apache Airflow to version 3.2.0 or later to remediate this vulnerability. Consider restricting Dag Author permissions as an interim measure.
As of the current date, there are no publicly known active exploits for CVE-2026-25917.
Refer to the official Apache Airflow security advisories for detailed information and updates regarding CVE-2026-25917: [https://airflow.apache.org/security/](https://airflow.apache.org/security/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.