Platform
python
Component
apache-airflow
Fixed in
3.2.0
3.2.0
CVE-2025-54550 describes a Remote Code Execution (RCE) vulnerability within Apache Airflow versions ranging from 0.0.0 to 3.2.0. This vulnerability stems from an unsafe pattern in the example_xcom example within the Airflow documentation, allowing UI users with XCom modification privileges to potentially execute arbitrary code on the worker nodes. A fix is available in Airflow 3.2.0.
The core of the vulnerability lies in the example_xcom example provided in the Airflow documentation. This example demonstrates an insecure method of reading XCom values, which can be exploited by a malicious user with the ability to modify XComs through the Airflow UI. Successful exploitation allows an attacker to inject and execute arbitrary code on the Airflow worker nodes. While example DAGs are not intended for production use, users who replicate this pattern in their deployments are at risk. The potential impact includes complete compromise of the worker node, data exfiltration, and disruption of Airflow workflows.
This vulnerability was publicly disclosed on 2026-04-15. There is no indication of active exploitation at this time. The vulnerability is considered low severity due to the requirement of UI access and the intended non-production nature of the example DAGs. No public proof-of-concept exploits have been identified.
Exploit Status
EPSS
0.06% (18% percentile)
The primary mitigation for CVE-2025-54550 is to upgrade Apache Airflow to version 3.2.0 or later, which includes a corrected version of the examplexcom example. If an immediate upgrade is not feasible, carefully review all custom DAGs and XCom handling logic to ensure that values are read and processed securely. Avoid replicating the insecure pattern demonstrated in the vulnerable example. Consider implementing stricter access controls on XCom modification privileges within the Airflow UI. After upgrading, verify the fix by reviewing the Airflow documentation and confirming that the examplexcom example uses the improved, secure pattern.
Update Apache Airflow to version 3.2.0 or later to mitigate the vulnerability. Avoid replicating the unsafe pattern of reading XCom values in your implementations, following the recommendations of the updated documentation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-54550 is a Remote Code Execution vulnerability affecting Apache Airflow versions 0.0.0–3.2.0. It allows an attacker with XCom modification access to execute arbitrary code on the worker nodes.
You are affected if you are using Apache Airflow versions 0.0.0 through 3.2.0 and have replicated the insecure XCom pattern from the example_xcom example in your custom DAGs.
Upgrade Apache Airflow to version 3.2.0 or later. Review and remediate any custom DAGs that use the vulnerable XCom pattern.
There is currently no evidence of active exploitation of CVE-2025-54550.
Refer to the Apache Airflow security advisories on the Apache project website for the latest information: https://airflow.apache.org/security/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.