CVE-2026-42359 Overview
CVE-2026-42359 is a high-severity insecure deserialization vulnerability in Apache Airflow's XCom PATCH endpoint PATCH /api/v2/xcomEntries/{key}. An authenticated UI or API user with XCom write permission on a Dag can set XCom entries under reserved key names such as return_value. The endpoint also accepts serialized payload shapes that the triggerer's deserializer treats as code. When the affected task next defers to the triggerer, the payload executes, resulting in remote code execution (RCE). This issue is a fix-bypass of CVE-2026-33858, which only patched the POST/set path through PR #64148 by adding the FORBIDDEN_XCOM_KEYS validator. The PATCH path remained uncovered until the fix in apache-airflow 3.2.2.
Critical Impact
Authenticated low-privileged users can achieve remote code execution on the Airflow triggerer by writing crafted XCom payloads under reserved keys.
Affected Products
- Apache Airflow versions prior to 3.2.2
- Deployments where untrusted users hold XCom write permission on Dags
- Deployments running Dags that defer to the triggerer
Discovery Timeline
- 2026-06-01 - CVE-2026-42359 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-42359
Vulnerability Analysis
The vulnerability stems from inconsistent input validation between two XCom-related API endpoints in Apache Airflow. The POST endpoint that creates XCom entries enforces a FORBIDDEN_XCOM_KEYS allowlist that blocks reserved key names such as return_value. The PATCH endpoint at PATCH /api/v2/xcomEntries/{key}, used to update existing XCom entries, omits this validation. An attacker with XCom write permission can use the PATCH path to write entries under any reserved key.
The XCom value is later deserialized by the triggerer process. The triggerer's deserializer interprets specific serialized payload shapes as executable code [CWE-502]. When a task associated with the manipulated XCom defers to the triggerer, the malicious payload runs in the triggerer's execution context, yielding RCE on the Airflow infrastructure.
Root Cause
The root cause is incomplete remediation of CVE-2026-33858. PR #64148 added the FORBIDDEN_XCOM_KEYS validator only to the POST/set path. The PATCH path shared the same dangerous deserialization sink but did not inherit the key validation, leaving a parallel write path open for reserved keys.
Attack Vector
An authenticated user with XCom write permission on a target Dag sends a PATCH request to /api/v2/xcomEntries/{key} where {key} is a reserved name like return_value. The body contains a serialized payload crafted to trigger code execution during deserialization. The attacker then waits for, or causes, a task to defer to the triggerer. The triggerer deserializes the malicious XCom value and executes the embedded code.
No synthetic exploit code is provided. Refer to the Apache Mailing List Thread and the GitHub Pull Request for technical details.
Detection Methods for CVE-2026-42359
Indicators of Compromise
- HTTP PATCH requests to /api/v2/xcomEntries/return_value or other reserved XCom keys originating from non-system users
- Unexpected child processes spawned by the Airflow triggerer process
- Outbound network connections initiated by the triggerer to unfamiliar destinations
- XCom entries containing serialized payloads with class references outside expected types
Detection Strategies
- Inspect Airflow API access logs for PATCH calls targeting the XCom entries route with reserved key names
- Correlate XCom write events with subsequent triggerer task defers and process anomalies
- Audit Airflow role-based access control to identify users granted XCom write permissions on sensitive Dags
- Apply signatures for suspicious Python pickle or serialization patterns transiting the Airflow API
Monitoring Recommendations
- Enable detailed audit logging on the Airflow REST API and forward logs to a centralized analytics platform
- Monitor the triggerer host for unexpected process execution, file writes, and outbound connections
- Alert on any modification of XCom entries with keys in the FORBIDDEN_XCOM_KEYS set
- Track failed and successful authentication events for accounts holding XCom write privileges
How to Mitigate CVE-2026-42359
Immediate Actions Required
- Upgrade apache-airflow to version 3.2.2 or later, even on deployments already patched for CVE-2026-33858
- Audit and reduce XCom write permissions to trusted users only
- Review Dags that defer to the triggerer and assess exposure to untrusted user input
- Rotate credentials and secrets accessible to the triggerer process if compromise is suspected
Patch Information
The fix is delivered in apache-airflow 3.2.2. It extends the FORBIDDEN_XCOM_KEYS validation to the PATCH endpoint, closing the bypass introduced when only the POST path was hardened in PR #64148. See the GitHub Pull Request and the CVE-2026-33858 Record for context on the original fix.
Workarounds
- Restrict the Airflow API behind network controls so only trusted operators can reach the XCom endpoints
- Remove XCom write permissions from low-trust roles until the upgrade is applied
- Disable or quarantine Dags that defer to the triggerer where untrusted contributors hold write access
- Add a reverse proxy rule to block PATCH requests to /api/v2/xcomEntries/return_value and other reserved keys
# Upgrade Apache Airflow to a fixed version
pip install --upgrade "apache-airflow>=3.2.2"
# Example NGINX rule to block PATCH on reserved XCom keys as a temporary mitigation
# location ~* ^/api/v2/xcomEntries/(return_value)$ {
# if ($request_method = PATCH) { return 403; }
# proxy_pass http://airflow_api;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
