CVE lookup
CVE-2026-33264
Pruva has a verified reproduction for CVE-2026-33264: Apache Airflow <3.3.0 allows deserialization of attacker-controlled class paths in BaseSerialization.deserialize(), enabling DAG authors to trigger RCE in the Scheduler/API Server via malicious serialized DAGs.. The canonical evidence record is REPRO-2026-00271.
REPRO
REPRO-2026-00271
Package
apache/airflow · PyPI
Severity
CRITICAL
Status
published