High severity8.8NVD Advisory· Published Apr 18, 2026· Updated Apr 21, 2026

CVE-2026-30898

Description

An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow execute code on worker. Users should review if any of their own DAGs have adopted this incorrect advice.

Affected products

Apache/Airflow
cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
Range: <3.2.0

Patches

af4f825962c0

https://github.com/apache/airflowvia nvd-ref

PR #64129

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.openwall.com/lists/oss-security/2026/04/17/7nvdMailing ListThird Party Advisory
lists.apache.org/thread/26zmhfj1t95c1hld2r14ho81nzh1bdc8nvdVendor AdvisoryMailing List
github.com/apache/airflow/pull/64129nvdIssue Tracking

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000