Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) unsafely imports and dispatches arbitrary class paths from DAG-author-controlled serialized state without an allowlist or plugin registry. This permits a DAG author to embed a custom `DeadlineReference` with a serialized form naming an attacker-controlled module path, causing the scheduler to import and instantiate that class with a live SQLAlchemy session. This deserialization of untrusted data (CWE-502) leads to potential arbitrary code execution within the scheduler process. The vulnerability is relevant in environments where DAG-author code is less trusted than the scheduler, notably default single-host deployments. The vendor recommends upgrading to Apache Airflow 3.2.2 or later.

An attacker with the ability to supply DAG code to the scheduler can execute arbitrary code within the scheduler process by exploiting unsafe deserialization. This can lead to unauthorized actions within the Airflow environment, potentially compromising the scheduler and associated resources. The impact is limited to deployments where DAG-author code is less trusted than the scheduler process. There are no known exploits in the wild at this time.

Users should upgrade to Apache Airflow version 3.2.2 or later, where this vulnerability is addressed. No other official remediation or temporary fixes are documented. Patch status is not explicitly confirmed in the advisory, but the vendor's upgrade recommendation indicates a fix is available in 3.2.2+. Until upgraded, restrict DAG author permissions to trusted users only to reduce risk.