CVE-2026-33264 - Apache Airflow: DAG author RCE on webserver via unrestricted import_string() in BaseSerialization.deserialize()
CVE ID :CVE-2026-33264 Published : July 7, 2026, 10:16 a.m. | 6 hours, 58 minutes ago Description :A bug in `BaseSerialization.deserialize()` allowed unrestricted `import_string()` of attacker-controlled class paths when the Scheduler / API Server loaded a serialized DAG: a DAG author could...