CVE-2026-33858HIGH 8.8EPSS p42.2%

CVE-2026-33858CVE-2026-33858

Description

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0, which resolves this issue.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.56% probability of exploitation · percentile 42.2% · 2026-06-18T12:00:27Z
Published2026-04-13
Last modified2026-04-17

Underlying weaknesses· 1

CWE-502

References

  1. https://github.com/apache/airflow/pull/64148
  2. https://lists.apache.org/thread/1npt3o2x81s0gw9tmfcv4n7p1z9hdmy0
  3. http://www.openwall.com/lists/oss-security/2026/04/13/7

1

TypeTargetConfidenceTier
WeaknessDeserialization of Untrusted Datacwe-5020%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-42359
CVE
CVE-2026-30898
CVE
CVE-2025-54550
CVE
Apache Airflow Command Injection
CVE
CVE-2026-40963
CVE
CVE-2025-69219
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.