CVE-2025-54550

HIGH 8.1

Apache Airflow: RCE by race condition in example_xcom dag

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

7th

The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of code on the worker. Since the UI users are already highly trusted, this is a Low severity vulnerability. It does not affect Airflow release - example_dags are not supposed to be enabled in production environment, however users following the example could replicate the bad pattern. Documentation of Airflow 3.2.0 contains version of the example with improved resiliance for that case. Users who followed that pattern are advised to adjust their implementations accordingly.

CWE	CWE-94
Vendor	apache software foundation
Product	apache airflow
Published	Apr 15, 2026
Last Updated	Apr 16, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow

Be the first to know when new high vulnerabilities affecting apache software foundation apache airflow are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow

0 < 3.2.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lists.apache.org: https://lists.apache.org/thread/3mf4cfx070ofsnf9qy0s2v5gqb5sc2g1 github.com: https://github.com/apache/airflow/pull/63200 openwall.com: http://www.openwall.com/lists/oss-security/2026/04/15/1

Credits

Vincent55 Yang