CVE-2026-45360: Apache Airflow Scheduler Unsafe Deserialization Privilege Escalation
Apache Airflow's scheduler contains a deserialization vulnerability in how it handles deadline references created by DAG authors. When a DAG author creates a custom deadline reference, the scheduler deserializes it without validating what code it might execute. An attacker who can author a DAG—or influence its contents—can embed malicious class paths that the scheduler will import and instantiate, gaining the ability to execute arbitrary code within the scheduler's security context and access its database connection.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-502
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — the default on single-host deployments where the DAG bundle is importable from the scheduler process — could embed a custom `DeadlineReference` whose serialized form named an attacker-controlled module path, causing the scheduler to `import_string(...)` and instantiate that class with a live SQLAlchemy session attached. Affects deployments where DAG-author code is less trusted than the scheduler process. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in `SerializedCustomReference.deserialize_reference()`, which uses unsafe deserialization of DAG-author-controlled data. The method calls `import_string()` on arbitrary class paths without an allowlist or registry-based validation. In single-host deployments where DAG code runs in the same process as the scheduler, an attacker with DAG authorship privileges can craft a malicious `DeadlineReference` object. Upon deserialization by the scheduler, this triggers instantiation of an attacker-specified class with access to the active SQLAlchemy session, enabling code execution and database manipulation at scheduler privilege level.
Business impact
This vulnerability creates a privilege escalation path within Airflow deployments. While it requires DAG-author access to exploit, many organizations treat DAG authorship as a lower-privilege operation than scheduler administration. Successful exploitation allows an attacker to execute arbitrary Python code in the scheduler process, potentially compromising task scheduling, data pipeline integrity, and database confidentiality. The impact is most severe in single-host deployments or where DAG source code is not strictly reviewed before deployment.
Affected systems
Apache Airflow versions prior to 3.2.2 are affected. The vulnerability is most exploitable in default single-host deployment configurations where DAG code is importable from the scheduler process. Multi-host deployments with DAG serialization and out-of-process DAG parsing may have reduced attack surface, but the risk persists if DAG authors can influence serialized deadline-reference definitions. Organizations running older 2.x versions or early 3.x releases should prioritize assessment.
Exploitability
Exploitation requires DAG authorship capabilities, which in many organizations is not heavily restricted. The attack does not require network access (AV:N), complex authentication bypasses (PR:N), or user interaction (UI:N), though it does require the attacker's malicious DAG to reach the scheduler. The low complexity (AC:L) and lack of scope limitations (S:U) make this straightforward to exploit for anyone with DAG write permissions. However, the vulnerability is not known to be actively exploited in the wild (KEV status: false).
Remediation
Upgrade Apache Airflow to version 3.2.2 or later, which addresses the unsafe deserialization by implementing validation on deadline-reference class paths. Until patching is complete, restrict DAG authorship to trusted personnel and implement code review processes for all DAG changes. Consider deploying Airflow in a multi-host configuration where DAGs are parsed in isolated processes separate from the scheduler, reducing the attack surface.
Patch guidance
Apply the upgrade to Apache Airflow 3.2.2 or later as soon as feasible. Verify the upgrade through vendor advisories and release notes to confirm the deserialization fix is included. Test the upgraded version in a non-production environment to ensure DAG compatibility and backward compatibility with custom deadline-reference implementations. For large deployments with numerous DAGs, stage the upgrade across development, staging, and production clusters to minimize disruption.
Detection guidance
Monitor scheduler process logs for unexpected `import_string()` calls or imports of unusual module paths during DAG serialization. Inspect DAG definitions for custom `DeadlineReference` classes with suspicious `__module__` or `__class__` attributes pointing outside standard Airflow packages. Review recent DAG commits and authorship changes, particularly for modifications to deadline-reference handling. In production environments, track scheduler process CPU and memory spikes, which may indicate code execution attempts. Consider deploying file integrity monitoring on the Airflow configuration and DAG directories to detect unauthorized changes.
Why prioritize this
This vulnerability scores 7.3 (HIGH) due to the combination of remote network accessibility, low authentication barriers, and the ability to execute arbitrary code at scheduler privilege level with direct database access. Although it requires DAG-authorship privileges—a potential constraint in some organizations—the ease of exploitation and the severity of the compromise (scheduler process takeover) warrant rapid prioritization. The fact that it is not yet in active exploitation provides a window for orderly remediation before threat actors systematize attacks.
Risk score, explained
The CVSS 3.1 score of 7.3 reflects: (1) network-accessible attack vector (AV:N) typical of cloud-hosted Airflow deployments; (2) no special access requirements (PR:N) once DAG authorship is obtained; (3) low complexity exploitation (AC:L) requiring only crafted serialized input; (4) consequential but not total system compromise, affecting confidentiality, integrity, and availability of scheduler-managed operations (C:L, I:L, A:L). The score does not account for organizational risk factors such as DAG authorship restrictions or deployment topology, which should inform local risk assessment.
Frequently asked questions
Does this affect my Airflow deployment if DAG authors are fully trusted?
No. In environments where DAG authorship is restricted to a small group of trusted personnel and code review is mandatory, the practical risk is substantially lower. However, vendor advisories recommend upgrading regardless, as trust relationships can change and insider threats remain a consideration.
What is the difference between single-host and multi-host deployments in terms of risk?
Single-host deployments run DAG code and the scheduler in the same process, making the attack direct. Multi-host deployments can isolate DAG parsing to separate worker processes, but the vulnerability still exists if serialized DAGs reach the scheduler. Multi-host deployments do offer opportunities to restrict which hosts can deserialize deadline references.
Can I disable deadline references to mitigate this risk before patching?
Verify with the vendor advisory whether deadline-reference functionality can be safely disabled or restricted in your version. Some configurations may allow you to validate or allowlist deadline-reference classes before deserialization, but this should be confirmed against your specific Airflow version and custom code.
Are there monitoring or alerting options available now?
Yes. Audit scheduler logs for unexpected imports, review DAG definitions for suspicious deadline-reference classes, and monitor for unusual process behavior. These measures provide visibility but are not a substitute for upgrading to a patched version.
This analysis is provided for informational purposes and reflects the vulnerability details available as of the publication date. Actual risk and remediation timelines depend on your specific Airflow configuration, DAG authorship policies, and deployment topology. Always consult official Apache Airflow security advisories and vendor documentation before implementing patches or mitigations. SEC.co does not guarantee the completeness or applicability of this guidance to all environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-42359HIGHApache Airflow XCom PATCH RCE Bypass of CVE-2026-33858
- CVE-2025-11993HIGHWooCommerce Infinite Scroll Plugin PHP Object Injection – HIGH Severity
- CVE-2026-24221HIGHNVIDIA NVTabular Deserialization Vulnerability – Patch & Detection Guide
- CVE-2026-24237HIGHNVIDIA NVTabular Deserialization Remote Code Execution Vulnerability
- CVE-2026-25551HIGHBarTender 2021–12.0.1 Insecure Deserialization Privilege Escalation
- CVE-2026-37579HIGHSMSGate Remote Code Execution via CMPP7 Deserialization
- CVE-2026-38950HIGHESA AnomalyMatch Arbitrary Code Execution via Unsafe PyTorch Deserialization
- CVE-2026-39550HIGHAperitif Theme Remote Code Execution via Object Injection