Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <c7bd19a3-9560-12fb-0625-3ec6e19f1d71@apache.org>
Date: Fri, 17 Apr 2026 10:34:42 +0000
From: Rahul Vats <rahulvats@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-25917: Apache Airflow: API extra-links triggers XCom
 deserialization/class instantiation (Airflow 3.1.5) 

Severity: low 

Affected versions:

- Apache Airflow (apache-airflow) before 3.2.0

Description:

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.

Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.

Credit:

Mahammad Huseynkhanli (finder)
Amogh Desai (remediation developer)

References:

https://github.com/apache/airflow/pull/61641
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-25917

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.