Severity: medium
Affected versions:
- Apache Airflow (apache-airflow) 3.2.0 before 3.2.2
Description:
A bug in Apache Airflow's XCom PATCH endpoint `PATCH /api/v2/xcomEntries/{key}`
allowed an authenticated UI/API user with XCom write permission on a Dag to set
XCom entries under reserved key names (e.g. `return_value`) that the matching
POST endpoint already validated against `FORBIDDEN_XCOM_KEYS`. The endpoint
also accepted serialized payload shapes the triggerer's deserializer treats as
code; combined, this allowed RCE on the triggerer when the affected task next
deferred. Affects deployments where untrusted users have XCom write permission
on Dags that defer to the triggerer. This is a fix-bypass of CVE-2026-33858: PR
#64148 added the `FORBIDDEN_XCOM_KEYS` validator only on the POST/set path; the
PATCH path was not covered. Users who already upgraded for CVE-2026-33858
should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the
PATCH-path bypass.
Credit:
Jeff Vier (`@boinger`); Izat (Anisto Mejin) — placeholders;
receipt-of-confirmation replies ask each reporter to confirm preferred credit
form (finder)
Venkatraman Kumar (r3dw0lfsec), Securin (finder)
Jarek Potiuk (remediation developer)
References:
https://github.com/apache/airflow/pull/65915
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-42359
