Apache Airflow BashOperator unsanitized dag_run.conf leads to code exec
CVE-2026-30898 Published on April 18, 2026
Apache Airflow: Bad example of BashOperator shell injection via dag_run.conf
An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow execute code on worker. Users should review if any of their own DAGs have adopted this incorrect advice.
Vulnerability Analysis
CVE-2026-30898 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Command Injection Vulnerability?
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CVE-2026-30898 has been classified to as a Command Injection vulnerability or weakness.
Products Associated with CVE-2026-30898
Want to know whenever a new CVE is published for Apache AirFlow? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Airflow:- Before 3.2.0 is affected.