Overview
CVE-2026-33858 is a high-severity (CVSS 8.8) code injection vulnerability in Apache Airflow, the widely used open-source platform for programmatic workflow authoring, scheduling, and monitoring. Published on April 13, 2026, the flaw allows DAG Authors — users who have permission to create and edit Directed Acyclic Graphs (DAGs) — to craft a specially structured XCom payload that causes the webserver component to execute arbitrary code.
The Apache Airflow project recommends upgrading to version 3.2.0 to fully remediate the issue.
Technical Details
What Is XCom?
XCom (short for "cross-communication") is Apache Airflow's built-in mechanism for allowing tasks within a DAG to exchange small amounts of data. Tasks can push XCom values using xcom_push() and retrieve them using xcom_pull(). XCom data is stored in the Airflow metadata database and can be rendered or displayed in the Airflow webserver UI.
Root Cause
The vulnerability stems from improper handling of XCom payload data within the webserver rendering context. A DAG Author can construct an XCom value containing a payload designed to trigger code execution when the webserver processes or renders the data. Because DAG Authors are trusted to submit and run workflow code, this privilege is sufficient to push a crafted XCom entry — but they should not be able to leverage that to execute code within the webserver process itself.
The webserver's failure to adequately sanitize or isolate XCom content during display or processing creates a path from DAG Author → arbitrary webserver-context code execution.
Attack Flow
- Attacker holds or obtains DAG Author privileges — the attacker is an authenticated user with DAG creation/editing rights
- Crafts a malicious XCom payload — an XCom value is designed to trigger code execution when rendered or processed by the webserver
- XCom payload is stored in the Airflow metadata database via a normal task execution
- Webserver processes the payload — during rendering, display, or API handling of XCom data, the crafted payload causes arbitrary code to execute in the webserver context
- Code runs as the webserver process — depending on deployment, this may yield access to environment variables, secrets, mounted credentials, or the underlying host
CVSS Score Breakdown
| Metric | Value |
|---|---|
| Base Score | 8.8 (High) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low (DAG Author) |
| User Interaction | None |
| Scope | Changed |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
The CVSS 8.8 score reflects the full CIA impact achievable via code execution in the webserver context, balanced against the Low (not None) privilege requirement — a DAG Author account is required.
Affected Versions
| Software | Affected Versions |
|---|---|
| Apache Airflow | All versions prior to 3.2.0 |
Severity Context
The Apache Airflow security advisory notes that because DAG Authors are already highly trusted users within the Airflow permission model (they can author and execute Python code via DAGs), the practical severity is qualified as Low by the project. However, the CVSS 8.8 High score reflects the technical capability to execute code outside the expected DAG execution sandbox — specifically within the webserver process — which represents a privilege escalation beyond what the DAG Author role is intended to grant.
In deployments where:
- The webserver has access to secrets, API keys, or cloud credentials
- The webserver runs with elevated OS-level permissions
- Airflow is deployed in a shared or multi-tenant environment
...the real-world impact can be significant, even if exploitation requires a DAG Author credential.
Patch & Mitigation
Patch: Upgrade to Apache Airflow 3.2.0 or later. The patch addresses the improper handling of XCom payload data in the webserver context.
Immediate mitigations for unpatched environments:
# Check your current Airflow version
airflow version
# Upgrade via pip
pip install apache-airflow==3.2.0
# Or upgrade via your deployment method (e.g., Helm chart, Docker image)Additional hardening measures:
- Restrict DAG Author accounts — audit which users hold the DAG Author role; remove or reduce privileges for any accounts that do not require it
- Isolate the Airflow webserver — ensure the webserver process does not have access to sensitive environment variables, cloud credentials, or secrets beyond what is strictly required
- Separate secrets from the webserver — use a dedicated secrets backend (HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager) rather than environment variables accessible to the webserver
- Monitor XCom data — review unusual or unexpected XCom entries that were not produced by normal task execution
- Audit Airflow logs — check webserver logs for anomalous output or unexpected process behavior following XCom operations
Context: Apache Airflow Deployment Scale
Apache Airflow is one of the most widely deployed workflow orchestration platforms in the world, used by data engineering and MLOps teams at thousands of organizations. Common deployment patterns include:
- Cloud-managed deployments — Amazon MWAA (Managed Workflows for Apache Airflow), Google Cloud Composer, Astronomer
- Self-hosted Docker/Kubernetes deployments — often with the webserver holding cloud provider credentials
- On-premises data platform deployments — frequently integrated with database systems, data lakes, and internal APIs
Because Airflow's webserver typically has network access to backend data infrastructure and may hold cloud provider credentials in its environment, achieving code execution in the webserver context can provide a significant foothold for attackers operating from a DAG Author position.
Recommendations
Organizations running Apache Airflow should:
- Upgrade to 3.2.0 immediately — this is the recommended remediation
- Review DAG Author membership — the attack requires DAG Author privileges; reducing unnecessary access to this role mitigates exposure
- Check XCom data for anomalies — if upgrade is delayed, review stored XCom entries for unexpected content
- Assess webserver blast radius — understand what credentials and resources are accessible to the webserver process in your environment
Given the CVSS 8.8 High score and the widespread deployment of Apache Airflow in data-intensive environments, patching should be treated as high priority.