Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-33264: Apache Airflow Scheduler RCE via DAG Deserialization
CVE-2026-33264: Apache Airflow Scheduler RCE via DAG Deserialization

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-33264

CVE-2026-33264: Apache Airflow Scheduler RCE via DAG Deserialization

A critical deserialization flaw in Apache Airflow allows malicious DAG authors to execute arbitrary code on the Scheduler and API Server, scoring CVSS 9.8. Immediate upgrade required.

Dylan H.

Security Team

July 8, 2026
5 min read

Affected Products

  • Apache Airflow (versions prior to patched release)
  • Airflow Scheduler
  • Airflow API Server

Executive Summary

The Apache Software Foundation has disclosed CVE-2026-33264, a critical remote code execution vulnerability in Apache Airflow scoring CVSS 9.8 (Critical). The flaw exists in BaseSerialization.deserialize(), where attacker-controlled class paths can be passed to import_string() without restriction when the Scheduler or API Server loads a serialized DAG.

A malicious DAG author can embed a crafted trigger into a DAG definition to gain remote code execution on the Scheduler or API Server process — components that typically run with elevated privileges within data pipeline infrastructure.


Vulnerability Overview

Root Cause

Apache Airflow serializes DAG objects to allow the Scheduler to reconstruct workflow definitions without executing the full DAG file on every evaluation. The BaseSerialization.deserialize() method calls import_string() on class paths stored in the serialized DAG. No allowlist validation was performed on these class paths, meaning an attacker-controlled string could reference any importable Python class — including those from installed packages that execute code upon import or instantiation.

Attack Chain

1. Attacker with DAG authoring access crafts a malicious DAG
2. DAG embeds a trigger or callback referencing a malicious class path
3. Airflow Scheduler loads and deserializes the DAG from the database
4. BaseSerialization.deserialize() calls import_string() on the attacker-controlled path
5. Arbitrary Python class is imported and instantiated on the Scheduler process
6. Attacker achieves RCE with Scheduler process privileges

Attack Surface

This vulnerability is particularly impactful in multi-tenant Airflow environments where:

  • Multiple teams or users can author and submit DAGs
  • The Scheduler and API Server process handle trusted and untrusted DAGs equally
  • DAG serialization is used as a performance optimization (Airflow's default since v2.x)

Technical Details

Vulnerable Component

ComponentFile / MethodImpact
BaseSerialization.deserialize()airflow/serialization/serialized_objects.pyRCE on Scheduler / API Server
Airflow SchedulerDaemon processFull process compromise
Airflow API ServerREST API backendFull process compromise

Exploitation Requirements

RequirementDetails
AuthenticationDAG authoring access (Git, UI, or API)
Network PositionNo special network access required post-DAG submission
ComplexityLow — single malicious DAG file
PrivilegesDAG author-level access in Airflow

The vulnerability requires an attacker to be able to submit or modify a DAG definition. In environments where DAGs are sourced from version-controlled repositories, this could be exploited via:

  • Supply chain attacks against DAG repositories
  • Compromised CI/CD pipelines pushing DAGs
  • Insider threats with DAG authoring access
  • Misconfigured DAG folder permissions

Identifying Affected Systems

Detection — Are You Running Serialized DAGs?

Serialized DAGs are enabled by default in Airflow 2.x and later. Verify your configuration:

# Check airflow.cfg
grep -i "store_serialized_dags\|min_serialized_dag_update_interval" airflow.cfg
 
# Or via environment variable
echo $AIRFLOW__CORE__STORE_SERIALIZED_DAGS

Check Airflow Version

airflow version
 
# Or via pip
pip show apache-airflow | grep Version

Log Analysis — Suspicious deserialization

# Search Scheduler logs for unexpected import_string calls
grep -i "import_string\|BaseSerialization\|deserialize" \
  /opt/airflow/logs/scheduler/*.log | grep -v "airflow\."

Remediation

Upgrade Apache Airflow

Apply the patched release from the Apache Software Foundation immediately. Consult the official Airflow security bulletin for the specific fixed version.

# Upgrade Airflow
pip install --upgrade apache-airflow
 
# Or with extras
pip install "apache-airflow[celery,postgres]" --upgrade
 
# Verify version after upgrade
airflow version

Interim Mitigations

If immediate upgrade is not possible:

1. Restrict DAG authoring access

Limit who can submit or modify DAGs to trusted personnel only. Enforce code review gates before DAGs reach production Schedulers.

2. Isolate the Scheduler process

Run the Scheduler with minimal OS privileges using systemd unit files or container security contexts:

# Kubernetes — restrict Scheduler pod
securityContext:
  runAsNonRoot: true
  runAsUser: 50000
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true

3. Audit existing DAGs

Review all DAGs in your Airflow environment for suspicious trigger/callback class paths before applying patches:

# Script to audit DAG triggers for non-Airflow class paths
import ast, os
 
dag_folder = os.environ.get("AIRFLOW__CORE__DAGS_FOLDER", "/opt/airflow/dags")
for root, _, files in os.walk(dag_folder):
    for f in files:
        if f.endswith(".py"):
            src = open(os.path.join(root, f)).read()
            if "import_string" in src or "::" in src:
                print(f"[REVIEW] {os.path.join(root, f)}")

Detection Rules

SIEM Query (Splunk)

index=airflow sourcetype=airflow:scheduler
| search message="*BaseSerialization*" OR message="*import_string*"
| where NOT match(message, "apache-airflow|airflow\.")
| stats count by host, message
| sort -count

Falco Runtime Rule

- rule: Airflow Scheduler Unexpected Module Import
  desc: Detect non-standard module imports during Airflow DAG deserialization
  condition: >
    spawned_process and
    proc.name = "airflow" and
    proc.args contains "scheduler" and
    fd.name startswith "/tmp/"
  output: >
    Airflow Scheduler accessing unexpected path
    (proc=%proc.cmdline fd=%fd.name user=%user.name)
  priority: WARNING

Historical Context

Deserialization vulnerabilities in workflow orchestrators are high-value targets because:

PlatformCVEYearImpact
JenkinsCVE-2017-10003532017Unauthenticated RCE, widespread exploitation
Apache AirflowCVE-2020-119782020Command injection via template injection
Apache AirflowCVE-2023-228862023Remote code execution
Apache AirflowCVE-2026-332642026Scheduler deserialization RCE

Airflow Schedulers typically run in privileged positions within data engineering infrastructure with access to production databases, cloud credentials, and sensitive ETL pipelines. RCE on a Scheduler can result in complete data pipeline compromise.


References

  • NIST NVD — CVE-2026-33264
  • Apache Airflow Security Bulletins
  • Apache Airflow GitHub — Security Advisories

Related Reading

  • CVE-2026-53481: Dell PowerProtect Data Domain Path Traversal
  • CVE-2026-53483: Dell PowerProtect Data Domain Authentication Bypass
#Apache Airflow#RCE#Deserialization#Scheduler#DAG#Python#Critical

Related Articles

CVE-2026-47065: Java Deserialization Filter Bypass via resolveProxyClass (CVSS 9.8)

A CVSS 9.8 critical Java deserialization vulnerability allows attackers to bypass ObjectInputFilter via TC_PROXYCLASSDESC, circumventing acceptMatchers…

7 min read

CVE-2026-10042: manga-image-translator RCE via Unsafe Python Deserialization

A critical CVSS 9.8 remote code execution vulnerability in manga-image-translator allows unauthenticated attackers to execute arbitrary commands by...

4 min read

CVE-2026-48207: Apache Fury PyFury Deserialization RCE

A critical deserialization vulnerability in Apache Fury's Python library PyFury allows attackers to bypass DeserializationPolicy validation hooks via the...

5 min read
Back to all Security Alerts