Critical Apache Airflow Vulnerability Exposes Workflow Schedulers to Code Execution

Security researchers disclosed CVE-2026-45360, a critical Apache Airflow scheduler deserialization flaw that allows the scheduler to instantiate attacker-controlled classes from untrusted serialized state, potentially executing code with an active database session and enabling severe manipulation or compromise; maintainers have released a fix and users should upgrade to Airflow 3.2.2+ and tighten DAG authoring permissions.