CVE-2026-30898

Low

Low Medium High Critical

CVSS Score

Published: Apr 18, 2026

Last Modified: Apr 18, 2026

Vulnerability Description

An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow execute code on worker. Users should review if any of their own DAGs have adopted this incorrect advice.

References & Resources

Severity Details

out of 10.0

Low

Weakness Type (CWE)

CWE-77 Top 25 #9

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Description: The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Exploit Likelihood: High
Typical Severity: Medium
OWASP Top 10: A03:2021-Injection
Abstraction Level: Class

View CWE Details on MITRE

Key Information

Published Date: April 18, 2026

External Resources

NIST NVD

National Vulnerability Database

MITRE CVE

Official CVE record

CVE Vulnerabilities

Posts & Pages