{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37288?format=json","vulnerability_id":"VCID-xd5g-jkrd-67cr","summary":"Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.\n\n\nUsers are recommended to upgrade to Apache Airflow 3.2.0, which resolves this issue.","aliases":[{"alias":"CVE-2026-33858"},{"alias":"PYSEC-2026-20"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49522?format=json","purl":"pkg:pypi/apache-airflow@3.2.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/48814?format=json","purl":"pkg:pypi/apache-airflow@3.1.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-etmw-7eq5-mqa2"},{"vulnerability":"VCID-geg4-1kgh-akde"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-xd5g-jkrd-67cr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.8"},{"url":"http://public2.vulnerablecode.io/api/packages/49518?format=json","purl":"pkg:pypi/apache-airflow@3.2.0b1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-etmw-7eq5-mqa2"},{"vulnerability":"VCID-geg4-1kgh-akde"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-xd5g-jkrd-67cr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0b1"},{"url":"http://public2.vulnerablecode.io/api/packages/49519?format=json","purl":"pkg:pypi/apache-airflow@3.2.0b2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-etmw-7eq5-mqa2"},{"vulnerability":"VCID-geg4-1kgh-akde"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-xd5g-jkrd-67cr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0b2"},{"url":"http://public2.vulnerablecode.io/api/packages/49520?format=json","purl":"pkg:pypi/apache-airflow@3.2.0rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-etmw-7eq5-mqa2"},{"vulnerability":"VCID-geg4-1kgh-akde"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-xd5g-jkrd-67cr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0rc1"},{"url":"http://public2.vulnerablecode.io/api/packages/49521?format=json","purl":"pkg:pypi/apache-airflow@3.2.0rc2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-etmw-7eq5-mqa2"},{"vulnerability":"VCID-geg4-1kgh-akde"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-xd5g-jkrd-67cr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0rc2"}],"references":[{"reference_url":"https://github.com/apache/airflow/pull/64148","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://github.com/apache/airflow/pull/64148"},{"reference_url":"https://lists.apache.org/thread/1npt3o2x81s0gw9tmfcv4n7p1z9hdmy0","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://lists.apache.org/thread/1npt3o2x81s0gw9tmfcv4n7p1z9hdmy0"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/04/13/7","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"http://www.openwall.com/lists/oss-security/2026/04/13/7"}],"weaknesses":[],"exploits":[],"severity_range_score":"8.8 - 8.8","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xd5g-jkrd-67cr"}