Input validation error in Apache Airflow - CVE-2026-42359
Published: June 4, 2026
Vulnerability identifier: #VU133386
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-42359
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Airflow
Apache Airflow
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper input validation in the XCom PATCH endpoint when handling crafted PATCH requests to update XCom entries under reserved key names with serialized payloads. A remote user can send a specially crafted PATCH request to execute arbitrary code.
Exploitation requires XCom write permission on a Dag, and the affected task must later defer to the triggerer.
How to mitigate CVE-2026-42359
Install security update from vendor's website.