CVE-2026-30898
Improper Input Handling in Airflow BashOperator Enables Code Execution
Publication date: 2026-04-18
Last updated on: 2026-04-21
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | airflow | to 3.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability arises from an example in the Airflow documentation where the BashOperator is used in a way that passes dag_run.conf without proper sanitization. This improper handling of user input can allow a user with UI access to escalate their privileges and execute arbitrary code on the worker.
Users are advised to review their own DAGs to ensure they have not adopted this incorrect usage pattern.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow a user with access to the Airflow UI to escalate their privileges and execute arbitrary code on the worker nodes. This could lead to unauthorized actions, data compromise, or disruption of workflows.
What immediate steps should I take to mitigate this vulnerability?
Users should review if any of their own DAGs have adopted the incorrect advice from the BashOperator example in the Airflow documentation that passes dag_run.conf in an unsafe way.
Specifically, ensure that unsanitized user input is not used in a manner that could escalate privileges of UI users or allow execution of arbitrary code on workers.