NIXPKGS-2026-1079

GitHub issue published on

Permalink CVE-2026-33858

8.8 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 2 weeks, 1 day ago by @LeSuisse Activity log

Created suggestion 2 weeks, 1 day ago
@LeSuisse accepted 2 weeks, 1 day ago
@LeSuisse published on GitHub 2 weeks, 1 day ago

Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0, which resolves this issue.

References

Affected products

apache-airflow

<3.2.0

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

nixos-unstable 3.1.7
- nixpkgs-unstable 3.1.7
- nixos-unstable-small 3.1.7
nixos-25.11 2.7.3
- nixos-25.11-small 2.7.3
- nixpkgs-25.11-darwin 2.7.3

Package maintainers

@gbpdt Graham Bennett <nix@pdtpartners.com>
@ingenieroariel Ariel Nunez <ariel@nunez.co>
@bhipple Benjamin Hipple <bhipple@protonmail.com>

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1079

References

Affected products

Matching in nixpkgs

pkgs.apache-airflow

Package maintainers