External risk intelligence

Apache Airflow Remote Code Execution via Deserialization Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-33264

This vulnerability affects Apache Airflow API Servers and Schedulers. These components are frequently exposed as internet-facing or edge services to allow remote DAG management and API-based orchestration in distributed deployments, making them commonly reachable in network-facing environments.

Deserialization

Apache Airflow

before 3.3.0

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in Apache Airflow could allow an attacker to execute arbitrary code on your systems by embedding malicious code into a DAG file. This issue could compromise the security of your API Server and Scheduler processes, potentially impacting your data orchestration capabilities. The main concern is confirming relevance and exposure given the nature of the affected technology.

  • Malicious code can be run remotely.
  • Attackers can control critical orchestration systems.
  • Confirm relevance and exposure of Airflow systems.

Attack Path

How an attacker could exploit the issue

An attacker could compromise the API server or scheduler by embedding a malicious trigger within a Directed Acyclic Graph (DAG) file. When the server loads this serialized DAG, it would execute the attacker-controlled class path, leading to remote code execution. This bypasses security controls by allowing code that should only be authored by a trusted user to run within the core server processes.

  • Requires attacker to author a DAG.
  • Malicious DAG deserialization on server.
  • Remote code execution on server.

Live Threat

Current exploitation, exposure, and threat context

A vulnerability in how serialized DAGs are processed could allow a malicious DAG author to execute arbitrary code on the API server or scheduler. This occurs when the Scheduler or API Server loads a serialized DAG that contains a specially crafted trigger. When supported by the advisory, this could affect the integrity and availability of the API Server and Scheduler processes.

  • API Server/Scheduler process integrity.
  • Malicious DAG author embeds malicious trigger.
  • Remote code execution on server processes.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Airflow platform owner or the application team responsible for managing DAGs and the Airflow API Server/Scheduler processes should take the lead on this vulnerability. The immediate first step is to identify all Airflow deployments, determine their exposure, and confirm which DAGs are sourced from untrusted authors or external inputs. Once identified and prioritized by risk, a remediation plan involving vendor coordination and maintenance window scheduling can be developed.

  • Identify affected Airflow instances.
  • Verify DAG author trust and exposure.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Apache Airflow and why does it have an API Server?

Apache Airflow is an open-source platform used to programmatically author, schedule, and monitor workflows, often called Directed Acyclic Graphs (DAGs). The API Server and Scheduler are core components that manage these workflows. Organizations use Airflow to automate complex data pipelines across distributed systems, relying on these components to coordinate tasks and process instructions provided by users.

How does CVE-2026-33264 relate to deserialization?

This vulnerability involves the CWE-502 weakness, known as deserialization of untrusted data. It occurs when an application takes data from an untrusted source—in this case, a DAG file—and restores it into an object without sufficient validation. Because the software fails to restrict which class paths can be imported during this process, an attacker can trick the system into executing unauthorized code instead of simply loading a data structure.

Do I need to worry if I am the only one writing my DAGs?

The risk is specifically tied to the processing of DAGs authored by untrusted parties. The vulnerability is triggered when the Scheduler or API Server loads a serialized DAG containing a malicious trigger. If your environment strictly limits DAG authorship to fully trusted internal administrators and you do not ingest DAGs from external or unverified sources, you are not in the primary trigger path for this specific exploit.

Why does Halo Surface Signal flag Airflow as potentially exposed?

Halo Surface Signal identifies this as a relevant concern because Apache Airflow API Servers and Schedulers are frequently deployed as internet-facing or edge services. This architectural choice is often made to facilitate remote DAG management and API-based orchestration. Because these components are commonly reachable in network-facing environments, they face a higher probability of being targeted by unauthorized actors.

What are the first steps to secure my Airflow instance?

The most effective response is to upgrade your environment to apache-airflow version 3.3.0 or later, which addresses the flaw. As an immediate defense-in-depth measure, you should review your configuration settings. Specifically, you can restrict the [core] allowed_deserialization_classes setting to a narrow allowlist, which prevents the system from importing arbitrary and potentially malicious class paths until you are able to complete the software update.

References