Airflow EUVD-2026-23660

| CVE-2026-30898 HIGH
Command Injection (CWE-77)
2026-04-18 apache GHSA-6337-2587-f2jq
Command Injection
8.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Updated
Apr 21, 2026 - 14:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 20, 2026 - 19:07 vuln.today
cvss_changed
Analysis Generated
Apr 20, 2026 - 16:23 vuln.today
CVSS changed
Apr 20, 2026 - 16:22 NVD
8.8 (HIGH)

DescriptionNVD

An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow execute code on worker. Users should review if any of their own DAGs have adopted this incorrect advice.

AnalysisAI

Command injection in Apache Airflow's BashOperator documentation example allows authenticated attackers to escalate privileges from UI user to worker-level code execution. Affects all Airflow versions before 3.2.0. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all Apache Airflow instances running versions before 3.2.0 and inventory DAGs using BashOperator with dag_run.conf parameter handling. Within 7 days: Upgrade all affected Airflow deployments to version 3.2.0 or later, and conduct code review of existing DAGs to identify and remediate unsafe parameter handling patterns matching the vulnerable documentation example. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

EUVD-2026-23660 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy