HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45360Published Modified CNA apache

CVE-2026-45360: Apache Airflow: Arbitrary import in custom deadline-reference deserialization

Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — the default on single-host deployments where the DAG bundle is importable from the scheduler process — could embed a custom `DeadlineReference` whose serialized form named an attacker-controlled module path, causing the scheduler to `import_string(...)` and instantiate that class with a live SQLAlchemy session attached. Affects deployments where DAG-author code is less trusted than the scheduler process. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.

Metrics

CVSS v3.1
7.3
Severity
HIGH
Fixed in
3.2.2
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An arbitrary import vulnerability exists in Apache Airflow's scheduler-side deadline-reference deserializer, reachable over the network without any authentication. The scheduler's `SerializedCustomReference.deserialize_reference` function accepts attacker-controlled class paths from DAG-serialized state and calls `import_string(...)` on them without an allowlist, instantiating arbitrary classes with a live SQLAlchemy session attached. Successful exploitation allows a DAG author to read data, modify database rows, or disrupt scheduler operation. A patched-image rebuild at version 3.2.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is matched against customer images within minutes of publication, covering both upstream Airflow base images and any custom-built images that bundle the affected package. Scans run continuously against images in customer registries and CI/CD pipelines so newly pushed images are evaluated without delay.

Available
Triage

Triage is available with CVSS v3.1 scoring at 7.3 (HIGH), weighted further by each customer org's compliance policy configuration to surface findings to the appropriate team inbox. Per-environment policy weighting ensures that, for example, production scheduler images are routed with higher urgency than development copies.

Available
Patch

A patched-image rebuild pinned to apache-airflow 3.2.2 becomes available on HarborGuard for any scanned image found to carry an affected version. For customers with auto-remediation enabled, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network (AV:N), so an attacker must be able to reach the Airflow scheduler service across the network to deliver malicious serialized DAG state.

  • AuthenticationNot required

    No credentials are required (PR:N); any DAG author who can submit a DAG bundle to the scheduler can trigger the vulnerable deserialization path without holding a privileged account.

  • Victim interactionNot required

    No user interaction is needed (UI:N); the scheduler processes the malicious serialized reference automatically during its normal scheduling cycle.

  • Attack complexityDetail

    Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond submitting a DAG with a crafted DeadlineReference.

Blast Radius

  • Reads data accessible via the attached SQLAlchemy session, including DAG metadata, connection credentials stored in Airflow's metadata database, and variable values.
  • Modifies or deletes persisted rows in the Airflow metadata database, including task instances, DAG runs, and stored connections or variables.
  • Crashes or destabilizes the scheduler process by instantiating a class that raises an unhandled exception, disrupting pipeline scheduling across all DAGs on the deployment.
  • Establishes a foothold for further lateral movement if the attacker-controlled class performs outbound network calls or writes files accessible to other scheduler processes.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-45360 runs against all scanned images within minutes of CVE publication, including custom Airflow images built internally. Where a scanned image carries apache-airflow below 3.2.2, a rebuilt image pinned to 3.2.2 is available immediately. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs regression tests, and opens a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy restricts auto-remediation, HarborGuard surfaces the finding with CVSS-weighted priority in the team inbox. While awaiting an upgrade, compensating controls include restricting the DAG bundle mount to trusted authors only, applying network policy to limit scheduler egress, and auditing existing DAGs for custom DeadlineReference subclasses before upgrading.

See how HarborGuard automates this

Fix available

3.2.2
Patch commits
Affected packages
  • Apache Software Foundation / Apache Airflow
    < 3.2.2 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
References