{"vulnerability": "cve-2026-33264", "sightings": [{"uuid": "40625e39-10fd-4ea9-862c-e87809332be5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-33264", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116878227880912732", "content": "CVE-2026-33264: Apache Airflow &lt;3.3.0 has a CRITICAL deserialization flaw. DAG authors can trigger remote code execution on Scheduler/API Server. Upgrade to 3.3.0+ and restrict allowed_deserialization_classes. Details: https://radar.offseq.com/threat/cve-2026-33264-cwe-502-deserialization-of-untruste-8bbc1aa55d6c3415 #OffSeq #Airflow #Infosec #CVE202633264", "creation_timestamp": "2026-07-07T10:30:26.100516Z"}, {"uuid": "f726afa5-65ce-4b64-bdc6-25b05107873e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-33264", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3mq2fkleckz23", "content": "CVE-2026-33264: Apache Airflow &lt;3.3.0 has a CRITICAL deserialization bug \u2014 DAG authors could trigger RCE on Scheduler/API Server. Upgrade to 3.3.0+ and restrict deserialization classes now. https://radar.offseq.com/threat/cve-2026-33264-cwe-502-deserialization-of-untruste-8bbc1aa55d6c3415 #OffSeq...", "creation_timestamp": "2026-07-07T10:30:27.679495Z"}, {"uuid": "f9bc7807-3cae-4760-a1f7-838499005021", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-33264", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3mq2jez5o4b27", "content": "CVE-2026-33264: Apache Airflow: DAG author RCE on webserver via unrestricted import_string() in BaseSerialization.deserialize()", "creation_timestamp": "2026-07-07T11:38:55.238434Z"}, {"uuid": "0ec945df-5467-4913-a299-a1ccd45ef6da", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-33264", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mq2k4insdp2w", "content": "CVE-2026-33264 - Apache Airflow: DAG author RCE on webserver via unrestricted import_string() in BaseSerialization.deserialize()\nCVE ID : CVE-2026-33264\n \n Published : July 7, 2026, 10:16 a.m. | 1\u00a0hour, 31\u00a0minutes ago\n \n Description : A bug in `BaseSerialization.deserialize()`...", "creation_timestamp": "2026-07-07T11:52:06.860608Z"}, {"uuid": "7438ba62-ee7e-4528-ab45-a6e84892da7b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-33264", "type": "seen", "source": "https://bsky.app/profile/stackflag.bsky.social/post/3mq2z7dj6b22i", "content": "CVE-2026-33264 - apache airflow\nA bug in Apache Airflow allowed malicious DAG authors to execute code on the Airflow server, potentially leading to unauthorized access or data breaches. To\u2026\n\nToo many irrelevant or confusing CVEs? Use stackflag.com\n\n#apacheairflow #apachefoundation #CVE #infosec", "creation_timestamp": "2026-07-07T16:22:04.705363Z"}]}