CVE-2026-45360

CVE-2026-45360 is a high-severity vulnerability in Apache Airflow with a CVSS 3.x base score of 7.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-502.

Key facts

Description

Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — the default on single-host deployments where the DAG bundle is importable from the scheduler process — could embed a custom `DeadlineReference` whose serialized form named an attacker-controlled module path, causing the scheduler to `import_string(...)` and instantiate that class with a live SQLAlchemy session attached. Affects deployments where DAG-author code is less trusted than the scheduler process. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.

Frequently asked questions

What is CVE-2026-45360?
Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — the default on single-host deployments where the DAG bundle is importable from the scheduler process — could embed a custom `DeadlineReference` whose serialized form named an attacker-controlled module path, causing the scheduler to `import_string(...)` and instantiate that class with a live SQLAlchemy session attached. Affects deployments where DAG-author code is less trusted than the scheduler process. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
How severe is CVE-2026-45360?
CVE-2026-45360 has a CVSS 3.x base score of 7.3, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability low.
Is CVE-2026-45360 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (47th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-45360?
CVE-2026-45360 affects Apache Airflow. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-45360?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
Does CVE-2026-45360 have an EU (EUVD) identifier?
Yes. CVE-2026-45360 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-33587.
When was CVE-2026-45360 published?
CVE-2026-45360 was published on 2026-06-01 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Apache Airflow

All CVEs affecting Apache Airflow →

Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities

Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →