Platform
python
Component
apache-airflow
Fixed in
3.2.0
CVE-2026-30898 describes a privilege escalation vulnerability discovered in Apache Airflow. This issue arises from an insecure example provided in the Airflow documentation, which demonstrates a method of passing dag_run.conf in a way that allows unsanitized user input to be leveraged. This can lead to a UI user escalating their privileges and potentially executing code on worker nodes. The vulnerability affects versions 0.0.0 through 3.2.0, and a fix is available in version 3.2.0.
The primary impact of CVE-2026-30898 is the potential for unauthorized code execution on Airflow worker nodes. An attacker could exploit this vulnerability by crafting malicious input within the dag_run.conf parameter, which, if not properly sanitized, could be interpreted and executed by the Airflow worker. This could allow an attacker to gain control of the worker, potentially leading to data breaches, system compromise, or denial of service. The blast radius extends to any data processed by the affected worker and any systems accessible from it. This vulnerability highlights the importance of carefully reviewing and validating all documentation and examples provided by software vendors, as seemingly innocuous guidance can inadvertently introduce security risks.
CVE-2026-30898 was publicly disclosed on 2026-04-18. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog as of this writing. Given the nature of the vulnerability (insecure documentation example) and the lack of public exploits, the probability of exploitation is considered low to medium. Monitor Airflow forums and security mailing lists for any emerging exploitation attempts.
Exploit Status
EPSS
0.08% (23% percentile)
The primary mitigation for CVE-2026-30898 is to upgrade Apache Airflow to version 3.2.0 or later, which contains the fix for this vulnerability. If upgrading immediately is not feasible, carefully review all DAGs that utilize the BashOperator and specifically examine how dagrun.conf is being handled. Ensure that all user-supplied input passed to dagrun.conf is properly sanitized and validated to prevent command injection. Consider implementing stricter access controls and input validation within your Airflow environment to limit the potential impact of this vulnerability. After upgrading, confirm the fix by reviewing the Airflow documentation and ensuring that the insecure example has been removed or corrected.
Update Apache Airflow to version 3.2.0 or higher to mitigate the command injection vulnerability. Review existing DAGs to identify and correct any incorrect usage of `dag_run.conf` that may allow unauthorized code execution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-30898 is a vulnerability in Apache Airflow versions 0.0.0–3.2.0 where an insecure documentation example allows user input to escalate privileges, potentially enabling code execution on worker nodes.
If you are using Apache Airflow versions 0.0.0 through 3.2.0 and have adopted the insecure example from the documentation, you are potentially affected. Review your DAGs immediately.
Upgrade Apache Airflow to version 3.2.0 or later. Also, review and sanitize any existing DAGs that use the BashOperator and handle dag_run.conf.
As of now, there are no known public exploits or confirmed active exploitation campaigns targeting CVE-2026-30898.
Refer to the Apache Airflow security advisories on the Apache project website for the latest information: https://airflow.apache.org/security
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.