HIGH 8.8

CVE-2026-42359: Apache Airflow XCom PATCH RCE Bypass of CVE-2026-33858

Apache Airflow contains a bypass of an earlier security fix that allows authenticated users with restricted permissions to inject malicious code into deferred tasks. An attacker with legitimate write access to task metadata can craft a specially formatted request to set hidden configuration values that trigger remote code execution when the task resumes. This affects organizations where any untrusted team members have editing permissions on Airflow workflows.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-502
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A bug in Apache Airflow's XCom PATCH endpoint `PATCH /api/v2/xcomEntries/{key}` allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names (e.g. `return_value`) that the matching POST endpoint already validated against `FORBIDDEN_XCOM_KEYS`. The endpoint also accepted serialized payload shapes the triggerer's deserializer treats as code; combined, this allowed RCE on the triggerer when the affected task next deferred. Affects deployments where untrusted users have XCom write permission on Dags that defer to the triggerer. This is a fix-bypass of CVE-2026-33858: PR #64148 added the `FORBIDDEN_XCOM_KEYS` validator only on the POST/set path; the PATCH path was not covered. Users who already upgraded for CVE-2026-33858 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the PATCH-path bypass.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-42359 is a deserialization vulnerability in Apache Airflow's XCom PATCH endpoint. The flaw exploits an incomplete validation fix from CVE-2026-33858, which added forbidden key checks only to the POST /api/v2/xcomEntries endpoint but omitted them from the PATCH variant. An authenticated attacker can send a PATCH request to /api/v2/xcomEntries/{key} with a reserved key name (such as `return_value`) and a serialized payload containing code-execution gadgets. When the triggerer deserializes this payload during task resumption, the gadget chain executes arbitrary code in the triggerer process context. The vulnerability is classified as Unrestricted Deserialization (CWE-502) and requires the attacker to hold XCom write permission on the target DAG.

Business impact

This vulnerability creates a lateral privilege-escalation path for users with limited Airflow permissions. A data analyst or junior engineer with write access to a single DAG can achieve code execution with the privileges of the Airflow triggerer—typically a high-privileged scheduler component with broad access to infrastructure, databases, and secrets. In multi-tenant or shared Airflow deployments, this dramatically expands the blast radius of permission models that intended to confine user impact to specific pipelines.

Affected systems

Apache Airflow versions prior to 3.2.2 are affected. Deployments are only exploitable if at least one of these conditions holds: (1) untrusted or semi-trusted users have been granted XCom write permissions on any DAG, and (2) at least one DAG uses task deferral—a feature that suspends execution and resumes via the triggerer. Organizations running Airflow in strict single-tenant or admin-only setups face reduced risk, but most shared environments assume some user isolation and thus should patch.

Exploitability

Exploitability is high for vulnerable deployments. The attack requires only a valid Airflow user account and XCom write permission (a granular permission commonly delegated). No special network position or authentication bypass is needed—the attacker operates within the normal API surface. The PATCH request is trivial to craft, and no interaction or complex setup is required. However, the vulnerability requires that the target DAG actively uses task deferral; non-deferring DAGs are not at risk, even if the attacker has XCom write permission.

Remediation

Upgrade Apache Airflow to version 3.2.2 or later. This patch extends the `FORBIDDEN_XCOM_KEYS` validation to the PATCH endpoint, preventing writes to reserved keys. Organizations that previously patched CVE-2026-33858 must apply this additional fix—the earlier patch is insufficient. For deployments unable to patch immediately, restrict XCom write permissions to trusted administrators and audit existing XCom entries for suspicious values.

Patch guidance

Update the `apache-airflow` package to 3.2.2 or any later release in the stable branch. Verify the patched version by inspecting the PR #64148 fix line to confirm the PATCH handler includes the `FORBIDDEN_XCOM_KEYS` check. If running a vendor-specific or bundled Airflow distribution (e.g., Astronomer, managed services), consult the vendor's release notes for patched versions and timelines. Test the patch in a staging environment, paying special attention to any custom XCom serialization logic or task deferral workflows.

Detection guidance

Monitor audit logs and API access logs for PATCH requests to `/api/v2/xcomEntries/{key}` where the key matches reserved names (e.g., `return_value`, `task_context`, `hook_return_value`). Alert on requests from non-admin users if XCom write permission isolation is expected. Inspect XCom table entries for suspicious serialized payloads—look for object gadget chains or pickle/pickle-like encoding if using the default serializer. Check triggerer process logs for unexpected deserialization errors or resource anomalies around the time of task resumption. Correlate PATCH requests with subsequent triggerer restarts or error spikes.

Why prioritize this

This vulnerability scores 8.8 (HIGH) and represents a complete fix-bypass of a recent critical issue. Unlike the earlier CVE-2026-33858, which required admin configuration changes to expose the flaw, this variant exploits normal API behavior and affects any shared Airflow deployment with granular permissions. The presence of deferral in modern Airflow workflows makes it broadly relevant. Organizations that believed they had closed CVE-2026-33858 must re-prioritize this follow-up patch to prevent regression.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects: Attack Vector = Network (user-facing API), Attack Complexity = Low (trivial PATCH request), Privileges Required = Low (authenticated user with limited permission), User Interaction = None, Scope = Unchanged (triggerer runs in same security context), Confidentiality/Integrity/Availability = High (arbitrary code execution). The score does not discount for the deferral requirement; assume it is common in production Airflow. The lack of KEV status as of June 2026 suggests limited observed exploitation in the wild, but the bypass nature and ease of attack should not be mistaken for low risk.

Frequently asked questions

Do we need to patch if we don't use task deferral?

No immediate risk applies to DAGs that do not use task deferral, because the deserialization only occurs when a deferred task resumes via the triggerer. However, we recommend patching anyway because teams often add deferral incrementally, and defenders cannot always track every DAG's feature usage in real time.

We already patched CVE-2026-33858. Are we covered?

No. CVE-2026-33858 patches only the POST endpoint. This vulnerability exploits the PATCH endpoint, which was not covered by that earlier fix. You must apply this new patch to close the bypass.

Can we mitigate without patching by restricting XCom write permissions?

Yes, as a temporary measure. Restrict XCom write to administrators and trusted roles only. However, this is a control rather than a fix—patch as soon as feasible, because permission models can drift and deferral is often necessary for performance.

What does deserialization and a gadget chain mean in this context?

When Airflow resumes a deferred task, it reads the XCom entry and converts it back into a Python object. If an attacker has written specially crafted serialized data (a 'gadget chain'), the deserialization process can be tricked into executing code embedded in that chain. This is a well-known attack pattern in Python object serialization.

This analysis is based on the CVE description and publicly available vendor guidance as of June 2026. SEC.co does not guarantee the absence of undisclosed exploitation or variants. Always consult the official Apache Airflow security advisory and your vendor's guidance before deploying patches. CVSS scores are provided by NIST and should be adapted to your organization's risk model. This information is for defensive security purposes; any unauthorized access to systems is illegal. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).