LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-25917

CVE-2026-25917 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 20, 2026

Apache Airflow - Stored XSS

Published: April 18, 2026Updated: April 20, 2026Remote Exploitable

Overview

Apache Airflow contains a stored XSS caused by crafted XCom payloads by Dag Authors, letting Dag Authors execute arbitrary code in the webserver context, exploit requires Dag Author privileges.

Severity & Score

Severity: Critical
CVSS Score: 9.8
EPSS Score: 7.1%(Probability of exploitation in next 30 days)

Impact

Dag Authors can execute arbitrary code in the webserver context, potentially compromising the server.

Mitigation

Upgrade to Apache Airflow 3.2.0.

References

Social Media Activity(3 posts)

TheHackerWire
TheHackerWire
@thehackerwire
Apr 20, 2026

šŸ”“ CVE-2026-25917 - Critical (9.8) Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-25917/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
Can Artuc
Can Artuc
@canartuc
Apr 20, 2026

Apache Airflow 3.2.0 closed five security flaws starting April 18. CVE-2026-25917 lets any workflow author (DAG author) run code in the webserver. CVE-2026-31987 leaks login tokens through task logs. Three days earlier, Dagster patched its own SQL injection. Orchestration tools were built when the DAG author and the platform operator shared one chair. Today 30 employees and 12 contractors share that chair, and the threat model never updated. #DevOps #InfoSec #DataEngineering #CyberSecurity

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 20, 2026

šŸ”“ CVE-2026-25917 - Critical (9.8) Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-25917/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-25917
Severity
Critical
CVSS Score
9.8
Type
stored_xss
Status
unconfirmed
EPSS
7.1%
Social Posts
3

CWE

  • CWE-502

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

7.1%Probability of exploitation in the next 30 days