Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-xd5g-jkrd-67cr

Summary

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.


Users are recommended to upgrade to Apache Airflow 3.2.0, which resolves this issue.

Aliases

alias	CVE-2026-33858

alias	PYSEC-2026-20

Fixed_packages

url	pkg:pypi/apache-airflow@3.2.0
purl	pkg:pypi/apache-airflow@3.2.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0

Affected_packages

url pkg:pypi/apache-airflow@3.1.8

purl pkg:pypi/apache-airflow@3.1.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xr2-w3hk-auck

vulnerability	VCID-91n6-evww-zybp

vulnerability	VCID-etmw-7eq5-mqa2

vulnerability	VCID-geg4-1kgh-akde

vulnerability	VCID-w56f-fmkf-dkfv

vulnerability	VCID-xd5g-jkrd-67cr

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.8

url pkg:pypi/apache-airflow@3.2.0b1

purl pkg:pypi/apache-airflow@3.2.0b1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xr2-w3hk-auck

vulnerability	VCID-91n6-evww-zybp

vulnerability	VCID-etmw-7eq5-mqa2

vulnerability	VCID-geg4-1kgh-akde

vulnerability	VCID-w56f-fmkf-dkfv

vulnerability	VCID-xd5g-jkrd-67cr

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0b1

url pkg:pypi/apache-airflow@3.2.0b2

purl pkg:pypi/apache-airflow@3.2.0b2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xr2-w3hk-auck

vulnerability	VCID-91n6-evww-zybp

vulnerability	VCID-etmw-7eq5-mqa2

vulnerability	VCID-geg4-1kgh-akde

vulnerability	VCID-w56f-fmkf-dkfv

vulnerability	VCID-xd5g-jkrd-67cr

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0b2

url pkg:pypi/apache-airflow@3.2.0rc1

purl pkg:pypi/apache-airflow@3.2.0rc1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xr2-w3hk-auck

vulnerability	VCID-91n6-evww-zybp

vulnerability	VCID-etmw-7eq5-mqa2

vulnerability	VCID-geg4-1kgh-akde

vulnerability	VCID-w56f-fmkf-dkfv

vulnerability	VCID-xd5g-jkrd-67cr

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0rc1

url pkg:pypi/apache-airflow@3.2.0rc2

purl pkg:pypi/apache-airflow@3.2.0rc2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xr2-w3hk-auck

vulnerability	VCID-91n6-evww-zybp

vulnerability	VCID-etmw-7eq5-mqa2

vulnerability	VCID-geg4-1kgh-akde

vulnerability	VCID-w56f-fmkf-dkfv

vulnerability	VCID-xd5g-jkrd-67cr

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0rc2

References

reference_url

https://github.com/apache/airflow/pull/64148

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

url

https://github.com/apache/airflow/pull/64148

reference_url

https://lists.apache.org/thread/1npt3o2x81s0gw9tmfcv4n7p1z9hdmy0

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

url

https://lists.apache.org/thread/1npt3o2x81s0gw9tmfcv4n7p1z9hdmy0

reference_url

http://www.openwall.com/lists/oss-security/2026/04/13/7

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

url

http://www.openwall.com/lists/oss-security/2026/04/13/7

Weaknesses

Exploits

Severity_range_score 8.8 - 8.8

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xd5g-jkrd-67cr

Vulnerability Instance