CVE-2026-45360 Overview
CVE-2026-45360 is an insecure deserialization vulnerability [CWE-502] in Apache Airflow's scheduler. The flaw resides in the SerializedCustomReference.deserialize_reference decoder, which imports and dispatches arbitrary class paths drawn from DAG-author-controlled serialized state. The decoder lacks an allowlist or plugin-registry gate, allowing a DAG author to embed a custom DeadlineReference whose serialized form names an attacker-controlled module path. The scheduler then calls import_string(...) and instantiates that class with a live SQLAlchemy session attached. The vulnerability affects deployments where DAG-author code is less trusted than the scheduler process, such as default single-host installations. Apache has released a fix in apache-airflow 3.2.2.
Critical Impact
A DAG author can coerce the Airflow scheduler to import and instantiate arbitrary Python classes with a live database session, enabling code execution and data tampering in multi-tenant Airflow environments.
Affected Products
- Apache Airflow versions prior to 3.2.2
- Single-host Airflow deployments where the DAG bundle is importable from the scheduler process
- Multi-tenant Airflow deployments where DAG authors are less trusted than the scheduler
Discovery Timeline
- 2026-06-01 - CVE-2026-45360 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-45360
Vulnerability Analysis
Apache Airflow serializes deadline-reference objects so the scheduler can reconstruct them when evaluating DAG deadlines. The SerializedCustomReference.deserialize_reference function rebuilds these objects by reading a class path stored in the serialized payload and resolving it through import_string. Because the class path originates from DAG-author-controlled state, an attacker controlling a DAG file can supply any importable module path. The scheduler imports that module, instantiates the class, and passes it a live SQLAlchemy session bound to the Airflow metadata database.
The consequences extend beyond simple code execution. The instantiated object receives an authenticated database handle, allowing direct reads and writes to Airflow's internal tables. This bypasses the role-based access controls that normally govern DAG operators and connections.
Root Cause
The root cause is the absence of an allowlist or plugin-registry validation step in SerializedCustomReference.deserialize_reference. The decoder trusts the embedded class path implicitly, treating DAG-author state as scheduler-trusted input. This violates the trust boundary between DAG authoring and scheduler execution that Airflow's documentation describes for multi-tenant deployments.
Attack Vector
A DAG author crafts a DeadlineReference whose serialized form references an attacker-controlled module path. Once the DAG is loaded by the scheduler, the deadline-evaluation path triggers import_string against the attacker's path and instantiates the named class. The class constructor executes inside the scheduler process and receives a SQLAlchemy session, allowing arbitrary database manipulation and code execution under the scheduler's privileges. Exploitation does not require authentication to Airflow's web UI; it requires only the ability to submit a DAG into the bundle the scheduler imports.
No public proof-of-concept exploit code is currently available. See the Apache Airflow Pull Request 66737 for the upstream fix and the Apache Mailing List Thread for the advisory.
Detection Methods for CVE-2026-45360
Indicators of Compromise
- Scheduler logs showing import_string calls resolving to modules outside Airflow's expected providers or plugins namespace
- DAG files containing custom DeadlineReference subclasses with non-standard _module or class-path attributes in their serialized form
- Unexpected child processes spawned by the Airflow scheduler process
- Modifications to the connection, variable, or user tables in the Airflow metadata database without a corresponding audit-log entry
Detection Strategies
- Audit all DAG files in the active bundle for custom DeadlineReference implementations and verify their module paths
- Enable verbose scheduler logging and alert on import_string invocations referencing modules outside an approved allowlist
- Monitor Airflow metadata database queries originating from the scheduler for write operations outside normal DAG-run lifecycle paths
Monitoring Recommendations
- Track Apache Airflow scheduler version across all hosts and flag any instance running a release earlier than 3.2.2
- Correlate DAG file modifications with scheduler restarts and unexpected outbound network connections from scheduler hosts
- Centralize Airflow scheduler and webserver logs in a SIEM and build alerts for deadline-deserialization errors or unusual import patterns
How to Mitigate CVE-2026-45360
Immediate Actions Required
- Upgrade Apache Airflow to version 3.2.2 or later on all scheduler, webserver, and worker hosts
- Inventory all DAG bundles and remove any DAGs containing untrusted or unreviewed DeadlineReference definitions
- Restrict write access to DAG folders so only vetted CI/CD pipelines can publish DAGs to production schedulers
- Rotate database credentials and any secrets the scheduler can access if compromise is suspected
Patch Information
Apache has fixed the vulnerability in apache-airflow 3.2.2. The patch adds allowlist validation in SerializedCustomReference.deserialize_reference so the scheduler only imports class paths registered through the plugin registry. Review the GitHub Pull Request and the Openwall OSS-Security Post for full technical detail.
Workarounds
- Isolate the scheduler from untrusted DAG authors by adopting Airflow's DAG-processor-in-a-separate-process deployment model with appropriate sandboxing
- Apply file-system access controls so DAG authors cannot define classes that live on the scheduler's Python path
- Disable or remove custom DeadlineReference usage from the DAG bundle until the upgrade is complete
# Upgrade Apache Airflow to a patched release
pip install --upgrade "apache-airflow>=3.2.2"
# Verify the installed version
airflow version
# Restart scheduler and webserver services after upgrade
systemctl restart airflow-scheduler airflow-webserver
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
