Apache Airflow's scheduler-side deadline-reference decoder (SerializedCustomReference.deserialize_reference) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — the default on single-host deployments where the DAG bundle is importable from the scheduler process — could embed a custom DeadlineReference whose serialized form named an attacker-controlled module path, causing the scheduler to import_string(...) and instantiate that class with a live SQLAlchemy session attached. Affects deployments where DAG-author code is less trusted than the scheduler process. Users are advised to upgrade to apache-airflow 3.2.2 or later.
Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:LI:LA:L7.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LSerialization