CVE-2026-30898 PUBLISHED

Apache Airflow: Bad example of BashOperator shell injection via dag_run.conf

Assigner: apache
Reserved: 06.03.2026 Published: 18.04.2026 Updated: 18.04.2026

An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow execute code on worker. Users should review if any of their own DAGs have adopted this incorrect advice.

Product Status

Vendor	Apache Software Foundation
Product	Apache Airflow
Versions	Default: unaffected affected from 0 to 3.2.0 (excl.)

Credits

Peyton Kennedy (p80n-sec) from Endor Labs finder
Kevin Yang remediation developer

References

https://github.com/apache/airflow/pull/64129
https://lists.apache.org/thread/26zmhfj1t95c1hld2r14ho81nzh1bdc8

Problem Types

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE