Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <b67b94b2-7f13-6c8a-70c6-c7ee6cbddd8f@apache.org>
Date: Fri, 17 Apr 2026 10:28:55 +0000
From: Rahul Vats <rahulvats@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-30898: Apache Airflow: Bad example of BashOperator shell
 injection via dag_run.conf 

Severity: low 

Affected versions:

- Apache Airflow (apache-airflow) before 3.2.0

Description:

An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow execute code on worker. Users should review if any of their own DAGs have adopted this incorrect advice.

Credit:

Peyton Kennedy (p80n-sec) from Endor Labs (finder)
Kevin Yang (remediation developer)

References:

https://github.com/apache/airflow/pull/64129
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-30898

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.