CVE-2026-33264

ADVISORY - pypa

Summary

A bug in BaseSerialization.deserialize() allowed unrestricted import_string() of attacker-controlled class paths when the Scheduler / API Server loaded a serialized DAG: a DAG author could embed a malicious trigger into a DAG to gain remote code execution on the API Server / Scheduler process, crossing the Airflow security boundary that DAG-author code must never execute in those processes. Users are advised to upgrade to apache-airflow 3.3.0 or later. As a defense-in-depth mitigation, deployments where DAG-author trust is limited can restrict the [core] allowed_deserialization_classes config to a narrow allowlist.

EPSS Score: 0.01086 (0.613)

Common Weakness Enumeration (CWE)


PypA

CREATED

UPDATED

ADVISORY ID

PYSEC-2026-2082

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

9.8critical

Bitnami

CREATED

UPDATED

ADVISORY ID

BIT-airflow-2026-33264

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

9.8critical