Skip to main content
CVE-2026-42252 CRITICAL PATCH GHSA Act Now

Server-side template injection in Apache Airflow versions 3.0.0 through 3.2.1 allows low-privilege authenticated users to inject Jinja2 expressions via dag_run.conf parameters that are unsafely interpolated into BashOperator commands, leading to arbitrary command execution in the worker context. The flaw carries a 9.1 CVSS but EPSS sits at just 0.03% (9th percentile), and there is no public exploit identified at time of analysis despite a vendor patch being available. Disclosure occurred via the oss-security mailing list on 2026-05-31 alongside several other Airflow advisories.

Ssti Apache Information Disclosure
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy