oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2026-30898: Apache Airflow: Bad example of BashOperator shell injection via dag_run.conf

From: Rahul Vats <rahulvats () apache org>
Date: Fri, 17 Apr 2026 10:28:55 +0000
Severity: low 

Affected versions:

- Apache Airflow (apache-airflow) before 3.2.0

Description:

An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause 
unsanitized user input to be used to escalate privileges of UI user to allow execute code on worker. Users should 
review if any of their own DAGs have adopted this incorrect advice.

Credit:

Peyton Kennedy (p80n-sec) from Endor Labs (finder)
Kevin Yang (remediation developer)

References:

https://github.com/apache/airflow/pull/64129
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-30898
Previous By Date Next
Previous By Thread Next

Current thread: