Deserialization in Apache Software Foundation Airflow

CVE-2026-33264

A bug in `BaseSerialization.deserialize()` allowed unrestricted `import_string()` of attacker-controlled class paths when the Scheduler / API Server loaded a serialized DAG: a DAG author could embed a malicious trigger into a DAG to gain r…

Vulnerability class: Insecure Deserialization

Affected products

Weakness classification (CWE)

References