CVE-2026-30898

Medienbericht

EPSS 0.08%
Veröffentlicht 18.04.2026 06:20:48
Zuletzt bearbeitet 21.04.2026 14:43:36
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache Airflow: Bad example of BashOperator shell injection via dag_run.conf

An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow execute code on worker. Users should review if any of their own DAGs have adopted this incorrect advice.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Airflow Version < 3.2.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.237

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://www.heise.de/news/Schadcode-Schlupfloecher-bedrohen-Apache-Airflow-und-Airflow-Keycloak-11268021.html

Media Report

https://github.com/apache/airflow/pull/64129

Issue Tracking

https://lists.apache.org/thread/26zmhfj1t95c1hld2r14ho81nzh1bdc8

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2026/04/17/7

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2026-30898

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-30898

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-30898

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-30898