BIT-AIRFLOW-2026-25917 Apache Airflow: API extra-links triggers XCom deserialization/class instantiation (Airflow 3.1.5)

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0,...

CVE-2023-50943 Apache Airflow: Potential pickle deserialization vulnerability in XComs

Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enablexcompickling=False" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it...

PT-2024-1306 · Apache · Apache Airflow

Name of the Vulnerable Software and Affected Versions: Apache Airflow versions prior to 2.8.1 Description: The issue is related to the deserialization mechanism in Apache Airflow, allowing a potential attacker to poison the XCom data by bypassing the protection of the enable xcom pickling=False...