Description

An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow execute code on worker. Users should review if any of their own DAGs have adopted this incorrect advice.

INFO

Published Date :

2026-04-18T06:20:48.647Z

Last Modified :

2026-04-22T03:55:38.783Z

Source :

apache
AFFECTED PRODUCTS

The following products are affected by CVE-2026-30898 vulnerability.

Vendors Products
Apache
  • Airflow
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-30898.

URL Resource
http://www.openwall.com/lists/oss-security/2026/04/17/7 cve-icon
https://github.com/apache/airflow/pull/64129 cve-icon cve-icon
https://lists.apache.org/thread/26zmhfj1t95c1hld2r14ho81nzh1bdc8 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact