RCE in Apache Software Foundation Airflow

CVE-2026-30898

An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow execute code on worker. Users should revie…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.000 (8.5th percentile) — read the EPSS interpretation.