Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
8DescriptionCVE.org
An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow execute code on worker. Users should review if any of their own DAGs have adopted this incorrect advice.
AnalysisAI
Command injection in Apache Airflow's BashOperator documentation example allows authenticated attackers to escalate privileges from UI user to worker-level code execution. Affects all Airflow versions before 3.2.0. The vulnerability stems from documentation suggesting unsafe handling of dag_run.conf parameters, which organizations may have replicated in production DAGs. EPSS score of 0.03% indicates low observed exploitation probability, though the upstream fix (PR #64129) demonstrates vendor acknowledgment and remediation.
Technical ContextAI
Apache Airflow is a platform for programmatically authoring, scheduling, and monitoring workflows as directed acyclic graphs (DAGs). The BashOperator component executes bash commands as part of workflow tasks. The vulnerability (CWE-77: Improper Neutralization of Special Elements used in a Command) arose from documentation demonstrating unsafe templating of dag_run.conf user inputs directly into BashOperator commands without sanitization. When dag_run.conf parameters - which authenticated UI users can control through the Airflow interface - are passed to bash execution contexts, attackers can inject shell metacharacters to execute arbitrary commands with the privileges of the Airflow worker process. This represents a privilege escalation from UI-level authenticated access to worker-level code execution, potentially compromising the entire workflow orchestration environment.
RemediationAI
Upgrade to Apache Airflow 3.2.0 or later, which includes corrected documentation and secure BashOperator examples per GitHub PR #64129 (https://github.com/apache/airflow/pull/64129). Review official security advisory at https://lists.apache.org/thread/26zmhfj1t95c1hld2r14ho81nzh1bdc8 for vendor guidance. CRITICAL INTERIM STEP: Audit all custom DAG implementations for unsafe dag_run.conf parameter handling in BashOperator commands. Search DAG code for patterns like BashOperator(bash_command=f'command {dag_run.conf}') or similar templating that concatenates user-controlled conf values into shell commands without validation. Compensating controls prior to upgrade: implement input validation/sanitization for all dag_run.conf parameters before use in BashOperator contexts using allowlists for permitted characters (reject shell metacharacters: semicolons, pipes, backticks, dollar signs, ampersands); alternatively, refactor vulnerable DAGs to use PythonOperator with subprocess.run() and shell=False, which prevents shell injection by avoiding shell interpretation entirely (trade-off: requires code refactoring versus quick validation fixes). Restrict DAG authoring permissions to prevent introduction of new vulnerable patterns during remediation period (trade-off: may impact development velocity). These mitigations reduce attack surface but code review and upgrading remain definitive solutions.
More in Apache Airflow
View allRemote code execution in Apache Airflow before 3.3.0 lets a DAG author embed a malicious trigger whose attacker-controll
The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xco
CVE-2026-30911 is a security vulnerability (CVSS 8.1) that allows any authenticated task instance. High severity vulnera
Apache Airflow 3.0.0 through 3.1.x exposes JWT authentication tokens in application logs, allowing any authenticated UI
CVE-2026-28779 is a security vulnerability (CVSS 7.5) that allows any application co-hosted under the same domain. High
Apache Airflow 3.0.x prior to 3.2.0 allows remote unauthenticated attackers to trigger unauthorized DAG (Directed Acycli
{dag_id}` endpoint and its UI equivalent perform authorization only on the requested DAG identifier, not on the full fil
Apache Airflow REST API exposes provider secrets in plaintext through the task-instance detail and list endpoints when t
Sensitive credential exposure in Apache Airflow's Bulk Variables API allows authenticated users with bulk Variable read
Apache Airflow's Config API leaks plaintext secrets-backend credentials to authenticated users with Config read permissi
CVE-2026-26929 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management proce
Incomplete authorization filtering in Apache Airflow's `/ui/dependencies` scheduling graph endpoint exposes restricted D
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23660
GHSA-6337-2587-f2jq