NIXPKGS-2026-1193

GitHub issue published on

Permalink CVE-2026-25917

updated 4 hours ago by @LeSuisse Activity log

Created automatic suggestion 17 hours ago
@LeSuisse accepted 6 hours ago
@LeSuisse published on GitHub 4 hours ago

Apache Airflow: API extra-links triggers XCom deserialization/class instantiation (Airflow 3.1.5)

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.

References

Affected products

apache-airflow

<3.2.0

Matching in nixpkgs

pkgs.apache-airflow

Platform to programmatically author, schedule and monitor workflows

nixos-unstable 3.1.7
- nixpkgs-unstable 3.1.7
- nixos-unstable-small 3.1.7
nixos-25.11 2.7.3
- nixos-25.11-small 2.7.3
- nixpkgs-25.11-darwin 2.7.3

Package maintainers

@taranarmo Sergey Volkov <taranarmo@gmail.com>

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1193

References

Affected products

Matching in nixpkgs

pkgs.apache-airflow

Package maintainers