Server-side template injection in Apache Airflow versions 3.0.0 through 3.2.1 allows low-privilege authenticated users to inject Jinja2 expressions via dag_run.conf parameters that are unsafely interpolated into BashOperator commands, leading to arbitrary command execution in the worker context. The flaw carries a 9.1 CVSS but EPSS sits at just 0.03% (9th percentile), and there is no public exploit identified at time of analysis despite a vendor patch being available. Disclosure occurred via the oss-security mailing list on 2026-05-31 alongside several other Airflow advisories.
Ssti
Apache
Information Disclosure
NVD
GitHub
VulDB
CVSS 3.1
9.1
EPSS
0.0%