Primary

Context

Apache Airflow BashOperator Privilege Escalation Vulnerability via Unsanitized dag_run.conf Input

Vulnerability

A vulnerability exists in Apache Airflow versions prior to 3.2.0, where an example in the documentation incorrectly suggested how to use the BashOperator with Jinja templating. This could lead to unsanitized user input being used to escalate the privileges of a UI user, allowing them to execute code on a worker. Users are advised to check their own Directed Acyclic Graphs (DAGs) for adherence to this flawed guidance.

Impact

Exploitation of this vulnerability could result in unauthorized privilege escalation, allowing a user to execute arbitrary code on an Airflow worker.

Remediation

Users should update to Apache Airflow version 3.2.0 or later. For those who have followed the incorrect documentation example, review and revise the affected DAGs to ensure they do not introduce this vulnerability.

Added: Apr 18, 2026, 7:20 AM

Updated: Apr 18, 2026, 7:20 AM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

10.0

exploitability

5.2

remediation

0.0

relevance

6.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

10.0

exploitability

5.2

remediation

0.0

relevance

6.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Airflow BashOperator Privilege Escalation Vulnerability via Unsanitized dag_run.conf Input

Vulnerability

Impact

Remediation

Affected Products

Apache Airflow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating