Privilege Escalation in Apache Airflow Due to Unsanitized User Input
CVE-2026-30898

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 18 April 2026

What is CVE-2026-30898?

A vulnerability in Apache Airflow allows privilege escalation due to improper handling of user input in DAGs. The issue arises when developers utilize examples from the documentation that suggest passing unsanitized values through dag_run.conf. This can allow a malicious user to execute arbitrary code on the worker, compromising system integrity. It is crucial for users to audit their DAG configurations to ensure they are not inadvertently exploiting this flaw by following insecure practices referenced in the documentation.

Affected Version(s)

Apache Airflow 0 < 3.2.0

References

https://github.com/apache/airflow/pull/64129

patch

https://lists.apache.org/thread/26zmhfj1t95c1hld2r14ho81n...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 18, 2026
Vulnerability Reserved
Mar 6, 2026

Credit

Peyton Kennedy (p80n-sec) from Endor Labs

Kevin Yang

CVE-2026-30898 Data

JSON