8 matches found
BIT-AIRFLOW-2026-45360 Apache Airflow: Arbitrary import in custom deadline-reference deserialization
Apache Airflow's scheduler-side deadline-reference decoder SerializedCustomReference.deserializereference imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — t...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the scheduler-side deadline-reference decoder SerializedCustomReference.deserializereference. A DAG author whose code reaches the scheduler — the default on single-host deployments where the DAG...
PYSEC-2026-186
Apache Airflow's scheduler-side deadline-reference decoder SerializedCustomReference.deserializereference imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — t...
PYSEC-0000-CVE-2026-45360
Apache Airflow's scheduler-side deadline-reference decoder SerializedCustomReference.deserializereference imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — t...
CVE-2026-45360 Apache Airflow: Arbitrary import in custom deadline-reference deserialization
Apache Airflow's scheduler-side deadline-reference decoder SerializedCustomReference.deserializereference imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — t...
CVE-2026-45360 Apache Airflow: Arbitrary import in custom deadline-reference deserialization
Apache Airflow's scheduler-side deadline-reference decoder SerializedCustomReference.deserializereference imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — t...
CVE-2026-45360
Summary (CVE-2026-45360) : Apache Airflow’s scheduler-side deadline-reference deserialization in SerializedCustomReference.deserialize_reference can import arbitrary attacker-controlled module paths because there is no allowlist or plugin-registry gate. A DAG author’s code that reaches the schedu...
PT-2026-45374
Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.2.2 Description The scheduler-side deadline-reference decoder SerializedCustomReference.deserialize reference imports and dispatches arbitrary class paths from serialized state controlled by a DAG author...