Executive Summary
The Apache Software Foundation has disclosed CVE-2026-33264, a critical remote code execution vulnerability in Apache Airflow scoring CVSS 9.8 (Critical). The flaw exists in BaseSerialization.deserialize(), where attacker-controlled class paths can be passed to import_string() without restriction when the Scheduler or API Server loads a serialized DAG.
A malicious DAG author can embed a crafted trigger into a DAG definition to gain remote code execution on the Scheduler or API Server process — components that typically run with elevated privileges within data pipeline infrastructure.
Vulnerability Overview
Root Cause
Apache Airflow serializes DAG objects to allow the Scheduler to reconstruct workflow definitions without executing the full DAG file on every evaluation. The BaseSerialization.deserialize() method calls import_string() on class paths stored in the serialized DAG. No allowlist validation was performed on these class paths, meaning an attacker-controlled string could reference any importable Python class — including those from installed packages that execute code upon import or instantiation.
Attack Chain
1. Attacker with DAG authoring access crafts a malicious DAG
2. DAG embeds a trigger or callback referencing a malicious class path
3. Airflow Scheduler loads and deserializes the DAG from the database
4. BaseSerialization.deserialize() calls import_string() on the attacker-controlled path
5. Arbitrary Python class is imported and instantiated on the Scheduler process
6. Attacker achieves RCE with Scheduler process privilegesAttack Surface
This vulnerability is particularly impactful in multi-tenant Airflow environments where:
- Multiple teams or users can author and submit DAGs
- The Scheduler and API Server process handle trusted and untrusted DAGs equally
- DAG serialization is used as a performance optimization (Airflow's default since v2.x)
Technical Details
Vulnerable Component
| Component | File / Method | Impact |
|---|---|---|
BaseSerialization.deserialize() | airflow/serialization/serialized_objects.py | RCE on Scheduler / API Server |
| Airflow Scheduler | Daemon process | Full process compromise |
| Airflow API Server | REST API backend | Full process compromise |
Exploitation Requirements
| Requirement | Details |
|---|---|
| Authentication | DAG authoring access (Git, UI, or API) |
| Network Position | No special network access required post-DAG submission |
| Complexity | Low — single malicious DAG file |
| Privileges | DAG author-level access in Airflow |
The vulnerability requires an attacker to be able to submit or modify a DAG definition. In environments where DAGs are sourced from version-controlled repositories, this could be exploited via:
- Supply chain attacks against DAG repositories
- Compromised CI/CD pipelines pushing DAGs
- Insider threats with DAG authoring access
- Misconfigured DAG folder permissions
Identifying Affected Systems
Detection — Are You Running Serialized DAGs?
Serialized DAGs are enabled by default in Airflow 2.x and later. Verify your configuration:
# Check airflow.cfg
grep -i "store_serialized_dags\|min_serialized_dag_update_interval" airflow.cfg
# Or via environment variable
echo $AIRFLOW__CORE__STORE_SERIALIZED_DAGSCheck Airflow Version
airflow version
# Or via pip
pip show apache-airflow | grep VersionLog Analysis — Suspicious deserialization
# Search Scheduler logs for unexpected import_string calls
grep -i "import_string\|BaseSerialization\|deserialize" \
/opt/airflow/logs/scheduler/*.log | grep -v "airflow\."Remediation
Upgrade Apache Airflow
Apply the patched release from the Apache Software Foundation immediately. Consult the official Airflow security bulletin for the specific fixed version.
# Upgrade Airflow
pip install --upgrade apache-airflow
# Or with extras
pip install "apache-airflow[celery,postgres]" --upgrade
# Verify version after upgrade
airflow versionInterim Mitigations
If immediate upgrade is not possible:
1. Restrict DAG authoring access
Limit who can submit or modify DAGs to trusted personnel only. Enforce code review gates before DAGs reach production Schedulers.
2. Isolate the Scheduler process
Run the Scheduler with minimal OS privileges using systemd unit files or container security contexts:
# Kubernetes — restrict Scheduler pod
securityContext:
runAsNonRoot: true
runAsUser: 50000
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true3. Audit existing DAGs
Review all DAGs in your Airflow environment for suspicious trigger/callback class paths before applying patches:
# Script to audit DAG triggers for non-Airflow class paths
import ast, os
dag_folder = os.environ.get("AIRFLOW__CORE__DAGS_FOLDER", "/opt/airflow/dags")
for root, _, files in os.walk(dag_folder):
for f in files:
if f.endswith(".py"):
src = open(os.path.join(root, f)).read()
if "import_string" in src or "::" in src:
print(f"[REVIEW] {os.path.join(root, f)}")Detection Rules
SIEM Query (Splunk)
index=airflow sourcetype=airflow:scheduler
| search message="*BaseSerialization*" OR message="*import_string*"
| where NOT match(message, "apache-airflow|airflow\.")
| stats count by host, message
| sort -countFalco Runtime Rule
- rule: Airflow Scheduler Unexpected Module Import
desc: Detect non-standard module imports during Airflow DAG deserialization
condition: >
spawned_process and
proc.name = "airflow" and
proc.args contains "scheduler" and
fd.name startswith "/tmp/"
output: >
Airflow Scheduler accessing unexpected path
(proc=%proc.cmdline fd=%fd.name user=%user.name)
priority: WARNINGHistorical Context
Deserialization vulnerabilities in workflow orchestrators are high-value targets because:
| Platform | CVE | Year | Impact |
|---|---|---|---|
| Jenkins | CVE-2017-1000353 | 2017 | Unauthenticated RCE, widespread exploitation |
| Apache Airflow | CVE-2020-11978 | 2020 | Command injection via template injection |
| Apache Airflow | CVE-2023-22886 | 2023 | Remote code execution |
| Apache Airflow | CVE-2026-33264 | 2026 | Scheduler deserialization RCE |
Airflow Schedulers typically run in privileged positions within data engineering infrastructure with access to production databases, cloud credentials, and sensitive ETL pipelines. RCE on a Scheduler can result in complete data pipeline compromise.
References
- NIST NVD — CVE-2026-33264
- Apache Airflow Security Bulletins
- Apache Airflow GitHub — Security Advisories