Airflow 3 isn't a routine upgrade

Apache Airflow 3 is not a patch-and-restart upgrade. The project’s own upgrade guide calls it a major release with breaking changes and a new architecture. (airflow.apache.org) Airflow is workflow software for scheduling data jobs, and in Airflow 2.x its components could talk directly to the metadata database that stores run state and task history. In Airflow 3.x, the Apache project says an application programming interface server becomes the sole access point for tasks and workers reaching that database. (airflow.apache.org) The Apache guide says teams should first be on Airflow 2.7 or later, upgrade to the latest 2.x release before jumping to 3.x, and back up the metadata database before starting migration. It also says commonly used operators such as BashOperator and PythonOperator were split out of the core package into a separate standard provider package. (airflow.apache.org) Apache described Airflow 3.0 as “the biggest release in Airflow’s history” when it announced general availability, four years after Airflow 2.0 shipped in 2020. The project’s current release notes show Airflow 3.2.0 was published on April 7, 2026, which means the 3.x line is still changing as teams plan migrations. (airflow.apache.org 1) (airflow.apache.org 2) The architecture change is tied to security as well as operations. Apache’s upgrade guide says the new design stops user task code from directly accessing the metadata database, a pattern it says could let malicious task code perform unauthorized actions. (airflow.apache.org) At the same time, a new Airflow vulnerability listing landed on April 15, 2026. The CVE entry says an `example_xcom` pattern in Airflow documentation could let a user with permission to modify XCom values trigger arbitrary code execution on a worker, and it lists affected versions as Apache Airflow before 3.2.0. (openwall.com) (tenable.com) That issue is rated Low severity in the public advisory because it depends on a highly trusted user role and does not affect the default production release directly; the example code was in documentation, not a feature meant to be enabled in production. OpenCVE says Airflow 3.2.0 documentation contains a more resilient version of the example and advises users who copied the pattern to adjust their implementations. (openwall.com) (app.opencve.io) Outside the Apache docs, migration guides from Astronomer and other operators describe the 2-to-3 move as a checklist project, not a one-click update. Astronomer says users should check DAG code, config compatibility, deprecated parameters, and import paths before rollout, and it recommends reaching at least Airflow 2.6.3 before moving to 3.x. (astronomer.io) Apache’s own release notes and migration references show why teams test this carefully: 3.x keeps adding features, database migrations can have operational impact, and some surrounding packages now upgrade on separate tracks. The result is that Airflow 3 promises a cleaner boundary around the control plane, but getting there still looks like an engineering project with staging, backups, and code review. (airflow.apache.org 1) (airflow.apache.org 2) (airflow.apache.org 3)