HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-42359Published Modified CNA apache

CVE-2026-42359: Apache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validator

A bug in Apache Airflow's XCom PATCH endpoint `PATCH /api/v2/xcomEntries/{key}` allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names (e.g. `return_value`) that the matching POST endpoint already validated against `FORBIDDEN_XCOM_KEYS`. The endpoint also accepted serialized payload shapes the triggerer's deserializer treats as code; combined, this allowed RCE on the triggerer when the affected task next deferred. Affects deployments where untrusted users have XCom write permission on Dags that defer to the triggerer. This is a fix-bypass of CVE-2026-33858: PR #64148 added the `FORBIDDEN_XCOM_KEYS` validator only on the POST/set path; the PATCH path was not covered. Users who already upgraded for CVE-2026-33858 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the PATCH-path bypass.

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
3.2.2
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authenticated remote code execution vulnerability affects Apache Airflow versions 3.2.0 through 3.2.1 in the XCom PATCH endpoint (PATCH /api/v2/xcomEntries/{key}). Any authenticated user with XCom write permission on a DAG can bypass the reserved-key validation that was added only to the POST path, inject a serialized payload under a reserved key name such as return_value, and trigger deserialization-based code execution on the triggerer process when the affected task next defers. Successful exploitation gives the attacker full code execution on the Airflow triggerer. A patched-image rebuild at version 3.2.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-42359 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built Airflow images, in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard scores this finding at CVSS 8.8 (HIGH) and is capable of weighting it further against each environment's compliance policy before routing the alert to the appropriate team inbox within the customer organization.

Available
Patch

A patched-image rebuild pinned to apache-airflow 3.2.2 is available on HarborGuard for any environment found running an affected version (3.2.0 or 3.2.1). For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Airflow API or UI over the network; the vulnerable endpoint is exposed via the standard HTTP API surface.

  • AuthenticationRequired

    A valid account with XCom write permission on at least one DAG is required; any low-privilege user granted that permission is sufficient.

  • Victim interactionNot required

    No user interaction is needed; the attacker submits the malicious XCom entry directly and exploitation occurs automatically when the affected task next defers.

  • Attack complexityDetail

    Attack complexity is low: the exploit is reliable and requires no race conditions, memory-layout knowledge, or other environmental preconditions beyond having XCom write permission.

Blast Radius

  • The attacker executes arbitrary code on the Airflow triggerer process, gaining full control of that component.
  • Secrets accessible to the triggerer, including DAG connection credentials and environment variables, are exposed to the attacker.
  • The attacker can modify or delete persisted DAG state, XCom entries, and task metadata stored in the Airflow metadata database via the triggerer's database access.
  • The triggerer process can be crashed or made to crash repeatedly, disrupting deferred task execution across all DAGs that rely on it.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-42359 is active in every scan cycle and will flag any image containing apache-airflow 3.2.0 or 3.2.1. A rebuilt image at the fix version (3.2.2) is available for affected environments. For customers who opt into auto-remediation, HarborGuard performs the image rebuild, executes regression tests, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Note that this CVE is a fix-bypass of CVE-2026-33858: environments that already upgraded for that earlier issue but stopped at a version below 3.2.2 remain exposed via the PATCH path and should treat this as an independent upgrade requirement. Where auto-remediation is not enabled, customers can manually trigger a rebuild to 3.2.2 from the HarborGuard dashboard or restrict XCom write permissions to trusted users as an interim compensating control.

See how HarborGuard automates this

Fix available

3.2.2
Patch commits
Affected packages
  • Apache Software Foundation / Apache Airflow
    < 3.2.2 (from 3.2.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References