CVE-2026-30898
Received Received - Intake
Improper Input Handling in Airflow BashOperator Enables Code Execution

Publication date: 2026-04-18

Last updated on: 2026-04-21

Assigner: Apache Software Foundation

Description
An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow execute code on worker. Users should review if any of their own DAGs have adopted this incorrect advice.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-18
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30898
EUVD
EUVD-2026-23660
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache airflow to 3.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability arises from an example in the Airflow documentation where the BashOperator is used in a way that passes dag_run.conf without proper sanitization. This improper handling of user input can allow a user with UI access to escalate their privileges and execute arbitrary code on the worker.

Users are advised to review their own DAGs to ensure they have not adopted this incorrect usage pattern.

Impact Analysis

If exploited, this vulnerability can allow a user with access to the Airflow UI to escalate their privileges and execute arbitrary code on the worker nodes. This could lead to unauthorized actions, data compromise, or disruption of workflows.

Mitigation Strategies

Users should review if any of their own DAGs have adopted the incorrect advice from the BashOperator example in the Airflow documentation that passes dag_run.conf in an unsafe way.

Specifically, ensure that unsanitized user input is not used in a manner that could escalate privileges of UI users or allow execution of arbitrary code on workers.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30898. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart