apache · amoghrajesh · Jun 13, 2025 · Jun 12, 2025 · Jun 12, 2025 · Jun 13, 2025
diff --git a/RELEASE_NOTES.rst b/RELEASE_NOTES.rst
@@ -3136,17 +3136,6 @@ https://airflow.apache.org/docs/apache-airflow/stable/security/security_model.ht
 It is strongly advised to **not** enable the feature until you make sure that only
 highly trusted UI/API users have "edit connection" permissions.
 
-The ``xcomEntries`` API disables support for the ``deserialize`` flag by default (#32176)
-"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
-For security reasons, the ``/dags/*/dagRuns/*/taskInstances/*/xcomEntries/*``
-API endpoint now disables the ``deserialize`` option to deserialize arbitrary
-XCom values in the webserver. For backward compatibility, server admins may set
-the ``[api] enable_xcom_deserialize_support`` config to *True* to enable the
-flag and restore backward compatibility.
-
-However, it is strongly advised to **not** enable the feature, and perform
-deserialization at the client side instead.
-
 Change of the default Celery application name (#32526)
 """"""""""""""""""""""""""""""""""""""""""""""""""""""
 Default name of the Celery application changed from ``airflow.executors.celery_executor`` to ``airflow.providers.celery.executors.celery_executor``.

diff --git a/airflow-core/newsfragments/51639.significant.rst b/airflow-core/newsfragments/51639.significant.rst
@@ -0,0 +1,17 @@
+``enable_xcom_deserialize_support`` configuration option has been removed.
+
+This configuration was previously marked as a security risk due to potential remote code execution vulnerabilities
+when deserializing arbitrary Python objects that came in from XComs. The removal is a security improvement since
+all custom XCom serialization/deserialization is now handled safely at the worker level, making this configuration
+unnecessary in core. Users should migrate to not setting this configuration.
+
+* Types of change
+
+  * [ ] Dag changes
+  * [x] Config changes
+  * [ ] API changes
+  * [ ] CLI changes
+  * [ ] Behaviour changes
+  * [ ] Plugin changes
+  * [ ] Dependency changes
+  * [ ] Code interface changes
diff --git a/airflow-core/src/airflow/config_templates/config.yml b/airflow-core/src/airflow/config_templates/config.yml
@@ -1430,15 +1430,6 @@ api:
       version_added: 2.2.0
       example: ~
       default: ""
-    enable_xcom_deserialize_support:
-      description: |
-        Indicates whether the **xcomEntries** endpoint supports the **deserialize**
-        flag. If set to ``False``, setting this flag in a request would result in a
-        400 Bad Request error.
-      type: boolean
-      version_added: 2.7.0
-      example: ~
-      default: "False"
     grid_view_sorting_order:
       description: |
         Sorting order in grid view. Valid values are: ``topological``, ``hierarchical_alphabetical``

diff --git a/reproducible_build.yaml b/reproducible_build.yaml
@@ -1,2 +1,2 @@
-release-notes-hash: edb6987ad849473a219f71b63e369800
-source-date-epoch: 1749569237
+release-notes-hash: 6d40bd86a01a8a2f5ba0d64afc1fb850
+source-date-epoch: 1749699565