Airflow webserver code execution by Dag Authors (CVE-2026-33858)

Vendor-confirmed - CVE-2026-33858 is a high remote code execution in Apache Airflow (all versions prior to 3.2.0) that grants a Dag Author the ability to execute arbitrary commands on the webserver by crafting a malicious XCom payload. Upgrade to version 3.2.0 immediately to prevent exploitation.

Overview

A security vulnerability in Apache Airflow, tracked as CVE-2026-33858, allows a Dag Author to execute arbitrary code on the Airflow webserver. This high-severity flaw has been assigned a CVSS score of 8.8. While Dag Authors are already trusted users within the platform, this vulnerability inappropriately extends their privileges to the webserver’s execution context, creating a significant security boundary bypass.

Vulnerability Details

In Apache Airflow, DAG (Directed Acyclic Graph) authors are users with permissions to create and manage workflow tasks. Under normal security models, these users should not be able to run arbitrary code on the underlying Airflow webserver itself. This vulnerability exists in the handling of XCom (cross-communication) payloads. By crafting a malicious XCom payload, a Dag Author can cause the webserver to execute code of their choosing.

The primary risk stems from the elevation of a trusted internal role to a higher-privileged execution context. This could be leveraged to compromise the webserver, potentially leading to further lateral movement within the environment.

Impact and Severity

The impact is high, as successful exploitation leads to remote code execution on the Airflow webserver. An attacker with Dag Author privileges could:

• Execute arbitrary commands on the host running the webserver.
• Access sensitive data, configuration files, or secrets stored on that server.
• Use the compromised webserver as a foothold to attack other connected systems.

The CVSS vector reflects the network-based attack vector (AV:N), low attack complexity (AC:L), low privileges required (PR:L-the Dag Author role), and no requirement for user interaction (UI:N).

Remediation and Mitigation

The Apache Airflow project has released a fix. All users are strongly recommended to take the following action:

Immediate Action: Upgrade your Apache Airflow installation to version 3.2.0 or later. This version contains the necessary patches to resolve CVE-2026-33858.

If an immediate upgrade is not possible, consider reviewing and temporarily restricting Dag Author permissions to only strictly necessary personnel as a partial mitigation. However, upgrading is the only complete solution. For the latest information on other security patches, monitor the security news section.

Security Insight

This vulnerability highlights the persistent challenge of secure privilege separation within complex orchestration platforms. It echoes past incidents in CI/CD and data pipeline tools where trusted internal roles were inadvertently granted excessive system-level access. The high CVSS score, despite the requirement for Dag Author credentials, underscores that security models must rigorously defend against privilege escalation from any trusted user tier, not just external attackers.

Update - May 2026

As of 14 May 2026, no patch has been released by the vendor, and CVE-2026-33858 remains unaddressed in the latest Dag Author software channels. The vulnerability has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, though analysts should continue monitoring for inclusion. EPSS has risen to 0.0017 (38th percentile), up from 0.0007 at publication, indicating modestly increased exploit modeling but still low active exploitation probability.

No related CVEs targeting the same XCom payload execution pathway have been published. No confirmed real-world exploitation events have been reported in open-source threat intelligence or major IDS/IPS feeds as of this update.

For defenders, immediate recommended actions include:

• Restrict Dag Author permissions to the minimum necessary workflow roles.
• Monitor webserver logs for anomalous XCom payloads containing shellcode, base64‑encoded commands, or suspicious function calls.
• Apply virtual patching via WAF rules to filter XCom data fields for known command injection patterns.
• Optionally disable XCom functionality for non‑admin Dag Authors until an official patch is released.

Continue tracking CISA KEV and vendor security channels for patch availability, and reassess EPSS trends weekly.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs