5 matches found
apache-airflow-core (>=3.2.0 <=3.2.1), apache-airflow-providers-google (=5.0.0) +10 more potentially affected by CVE-2026-33858 +1 more via apache-airflow (>=3.2.0 <=3.2.1rc3)
apache-airflow PYPI version =3.2.0, =3.2.0, =1.2.0, =13.0.2, =7.2.0, =1.18.3, =1.4.2, =2.1.1, =1.10.3, =1.41.2, =1.28.2, =5.6.2, =5.7.17 Source cves: CVE-2026-33858, CVE-2026-42359 Source advisory: OSV:PYSEC-2026-185...
apache-airflow (>=3.2.0b1 <=3.2.0b2) potentially affected by CVE-2026-33858 via apache-airflow-task-sdk (>=1.2.0b1 <=1.2.0b2)
apache-airflow-task-sdk PYPI version =1.2.0b1, =3.2.0b1, =3.2.0b2 Source cves: CVE-2026-33858 Source advisory: SNYK:PYTHON-APACHEAIRFLOWTASKSDK-16032066...
CVE-2026-33858
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0,...
airflow-clickhouse-plug (=1.6.2), airflow-clickhouse-plugin (=1.6.0) +19 more potentially affected by CVE-2026-33858 via apache-airflow (=3.1.8)
apache-airflow PYPI version =3.1.8 is affected by a known vulnerability. The following packages have a transitive dependency on apache-airflow and may be impacted: - airflow-clickhouse-plug =1.6.2 - airflow-clickhouse-plugin =1.6.0 - airflow-dbt-winwin =0.6.0, =0.2.0, =1.0.2, =0.0.13, =10.13.0,...
CVE-2026-33858 Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0,...