CVE-2026-33264 Overview
CVE-2026-33264 is an insecure deserialization vulnerability in Apache Airflow that allows remote code execution on the Scheduler and API Server processes. The flaw resides in BaseSerialization.deserialize(), which invokes import_string() on attacker-controlled class paths when loading a serialized Directed Acyclic Graph (DAG). A DAG author can embed a malicious trigger inside a DAG, causing arbitrary code to execute inside the API Server or Scheduler when the DAG is loaded. This breaks the Airflow security boundary that requires DAG-author code to remain isolated from those trusted processes. The issue is tracked as CWE-502: Deserialization of Untrusted Data and is fixed in apache-airflow 3.3.0.
Critical Impact
An authenticated DAG author can achieve remote code execution on the Airflow Scheduler or API Server, compromising the orchestration control plane and any credentials it holds.
Affected Products
- Apache Airflow versions prior to 3.3.0
- Apache Airflow Scheduler component
- Apache Airflow API Server component
Discovery Timeline
- 2026-07-07 - CVE-2026-33264 published to NVD
- 2026-07-08 - Last updated in NVD database
Technical Details for CVE-2026-33264
Vulnerability Analysis
Apache Airflow serializes DAG objects so the Scheduler and API Server can reconstruct them from the metadata database. The BaseSerialization.deserialize() routine reconstructs Python objects by resolving fully qualified class paths through import_string(). Because the deserializer did not restrict which classes could be imported, any class path stored in the serialized payload was loaded and instantiated inside the receiving process.
DAG authors control the content of serialized DAGs, including trigger objects. By embedding a trigger that references an attacker-chosen class path, a DAG author causes the Scheduler or API Server to import and execute that code during normal DAG loading. This crosses the trust boundary Airflow enforces between DAG-author code (untrusted) and the orchestration control plane (trusted).
Root Cause
The root cause is missing allowlist enforcement inside BaseSerialization.deserialize(). The function trusted the class reference contained in the serialized payload and passed it directly to import_string() without checking it against [core] allowed_deserialization_classes. Any importable Python object in the process environment became a valid deserialization target.
Attack Vector
Exploitation requires the ability to author or modify a DAG that Airflow will serialize and load. The attacker crafts a DAG containing a trigger whose serialized form references a malicious class path. When the Scheduler parses the DAG or the API Server retrieves it from the metadata store, import_string() resolves the attacker-controlled path and executes code in the context of the Airflow service account. See the Apache mailing list advisory for additional detail.
No verified public proof-of-concept code is available at the time of publication. Technical remediation details are documented in GitHub Pull Request #66002 and GitHub Pull Request #68528.
Detection Methods for CVE-2026-33264
Indicators of Compromise
- Unexpected child processes spawned by the Airflow Scheduler or API Server user, particularly Python interpreters invoking shells or network utilities.
- Outbound network connections from Scheduler or API Server hosts to unusual destinations shortly after DAG parsing events.
- New or modified DAG files referencing uncommon import paths inside trigger definitions or __classpath__ fields of serialized payloads.
Detection Strategies
- Inspect the serialized_dag table in the Airflow metadata database for entries containing class references outside the standard airflow.* namespace.
- Enable structured audit logging on DAG parsing and correlate parse events with process creation telemetry on Scheduler and API Server hosts.
- Alert on invocations of import_string() resolving to paths not present in [core] allowed_deserialization_classes.
Monitoring Recommendations
- Baseline the expected process tree of the airflow-scheduler and airflow-apiserver services and alert on deviations.
- Monitor Git repositories or DAG storage locations for commits that introduce trigger objects with dynamically resolved class paths.
- Forward Airflow logs and host telemetry to a central analytics platform for correlation across DAG changes, parse events, and process activity.
How to Mitigate CVE-2026-33264
Immediate Actions Required
- Upgrade apache-airflow to version 3.3.0 or later on all Scheduler, API Server, and Worker nodes.
- Audit existing DAGs for triggers referencing unusual or non-standard import paths and remove suspicious entries.
- Rotate any credentials, connections, and Fernet keys accessible to the Scheduler or API Server if compromise is suspected.
Patch Information
The fix is delivered in apache-airflow 3.3.0. The relevant changes restrict BaseSerialization.deserialize() to an allowlist of classes and are documented in GitHub Pull Request #66002 and GitHub Pull Request #68528.
Workarounds
- Restrict the [core] allowed_deserialization_classes configuration to a narrow, explicit allowlist of trusted class paths as a defense-in-depth control.
- Limit DAG-author permissions so only vetted users can commit DAGs to the deployment, and enforce code review on all DAG changes.
- Isolate the Scheduler and API Server on dedicated hosts with least-privilege service accounts and restricted egress network policies.
# airflow.cfg defense-in-depth allowlist example
[core]
allowed_deserialization_classes = airflow\..*
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

