CVE-2026-42359

HIGH EPSS 41.8%
Published Jun 1, 20264w ago · Modified Jun 17, 20261w ago
8.8 CVSS 3.1
High
Find Similar
Published Jun 1, 2026 4w ago
Last Modified Jun 17, 2026 1w ago

Description

A bug in Apache Airflow's XCom PATCH endpoint `PATCH /api/v2/xcomEntries/{key}` allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names (e.g. `return_value`) that the matching POST endpoint already validated against `FORBIDDEN_XCOM_KEYS`. The endpoint also accepted serialized payload shapes the triggerer's deserializer treats as code; combined, this allowed RCE on the triggerer when the affected task next deferred. Affects deployments where untrusted users have XCom write permission on Dags that defer to the triggerer. This is a fix-bypass of CVE-2026-33858: PR #64148 added the `FORBIDDEN_XCOM_KEYS` validator only on the POST/set path; the PATCH path was not covered. Users who already upgraded for CVE-2026-33858 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the PATCH-path bypass.

CVSS Details

Base Score
8.8
Exploitability
2.8
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
41.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-502 Deserialization of Untrusted Data Validation

Affected Products 1

VendorProductVersionRange
apacheairflow*≥3.2.0  –  <3.2.2

References 3

  • github.com https://github.com/apache/airflow/pull/65915
    Issue TrackingPatch
  • lists.apache.org https://lists.apache.org/thread/g8dqykpf1p90tysq8tln4qtkqwb1038s
    Mailing ListVendor Advisory
  • cve.org https://www.cve.org/CVERecord?id=CVE-2026-33858
    Third Party Advisory

Remediation

  • github.com https://github.com/apache/airflow/pull/65915
    Issue TrackingPatch