PatchSiren cyber security CVE debrief

CVE-2026-45360 Apache Software Foundation CVE debrief

Apache Airflow's scheduler-side `SerializedCustomReference.deserialize_reference` method deserializes arbitrary class paths from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. In deployments where the DAG bundle is importable from the scheduler process—including default single-host configurations—a DAG author can embed a malicious `DeadlineReference` whose serialized form specifies an attacker-controlled module path. The scheduler then executes `import_string(...)` and instantiates that class with a live SQLAlchemy session attached, leading to arbitrary code execution in the scheduler process. The vulnerability affects scenarios where DAG-author code is less trusted than the scheduler process. The fix was released in `apache-airflow` 3.2.2.

Vendor: Apache Software Foundation
Product: Apache Airflow
CVSS: Unknown
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-01
Original CVE updated: 2026-06-01
Advisory published: 2026-06-01
Advisory updated: 2026-06-01

Who should care

Organizations running Apache Airflow with multiple DAG authors or untrusted DAG code, particularly on single-host deployments where scheduler and webserver processes share an environment. Security teams managing multi-tenant data platforms, DevOps engineers responsible for Airflow upgrades, and compliance officers reviewing supply chain or insider-threat risks in data pipeline infrastructure.

Technical summary

The vulnerability exists in `SerializedCustomReference.deserialize_reference` within the Apache Airflow scheduler. The method accepts a serialized class path string from DAG metadata and passes it directly to `import_string()`, then instantiates the resulting class with scheduler-internal objects including a live SQLAlchemy ORM session. Because no allowlist restricts which modules may be imported, a DAG author can specify any importable class—including those from attacker-supplied code in the Python path. On single-host deployments where the scheduler can import the DAG bundle, this allows DAG authors to achieve code execution in the scheduler's security context. The fix in version 3.2.2 adds validation to restrict deserialization to known-safe reference types.

Defensive priority

high

Recommended defensive actions

Upgrade to apache-airflow 3.2.2 or later as advised by the Apache Airflow security team
Restrict DAG authoring privileges to trusted personnel and audit existing DAG code for suspicious DeadlineReference usage
In multi-tenant or shared deployments, isolate scheduler processes from untrusted DAG bundles and enforce code review for all DAG submissions
Monitor scheduler logs for unexpected module imports or class instantiations originating from DAG deserialization paths
Review network segmentation between scheduler nodes and sensitive infrastructure, as scheduler compromise may expose database credentials or permit lateral movement

Evidence notes

The NVD record (published 2026-06-01) cites a GitHub pull request and an Apache security mailing list thread as references. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). No CVSS score or severity is currently assigned in the official record. The vendor attribution to Apache is derived from reference domain candidates and source metadata; the vendor field in the source corpus is marked low-confidence and flagged for review.

Official resources

CVE-2026-45360 CVE record
CVE.org
CVE-2026-45360 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Source reference
af854a3a-2127-422b-91ae-364da2661108

2026-06-01