CVE-2026-30898HIGH 8.8EPSS p50.8%

CVE-2026-30898CVE-2026-30898

Description

An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow execute code on worker. Users should review if any of their own DAGs have adopted this incorrect advice.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.77% probability of exploitation · percentile 50.8% · 2026-06-19T12:03:05Z
Published2026-04-18
Last modified2026-04-21

Underlying weaknesses· 1

CWE-77

References

  1. https://github.com/apache/airflow/pull/64129
  2. https://lists.apache.org/thread/26zmhfj1t95c1hld2r14ho81nzh1bdc8
  3. http://www.openwall.com/lists/oss-security/2026/04/17/7

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in a Command ('Command Injection')cwe-770%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33858
CVE
CVE-2026-42252
CVE
Apache Airflow Command Injection
CVE
CVE-2025-54550
CVE
CVE-2026-40963
CVE
CVE-2026-40861
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.