CVE-2026-42252 Apache Software Foundation CVE debrief

Who should care

Airflow platform operators, DevSecOps teams managing multi-team Airflow deployments, hosted Airflow service providers, and DAG authors using BashOperator with dag_run.conf interpolation

Technical summary

The pre-correction documentation example `BashOperator(bash_command=echo value: {{ dag_run.conf['conf1'] }})` permitted shell metacharacter injection when trigger API users supplied crafted `conf` values. An authenticated user with `Dag.can_trigger` could inject shell commands (e.g., using `;` metacharacters) that would execute via `os.exec` on the Airflow worker. The fix adds explicit shell-quoting and a safety warning to the documentation pattern. Affects DAGs modeled on the pre-3.2.2 documentation example.

Defensive priority

high

Recommended defensive actions

• Audit existing DAG code for BashOperator patterns that interpolate dag_run.conf values without shell-quoting or parameterization
• Upgrade to apache-airflow 3.2.2 or later to obtain corrected documentation and review updated examples
• Apply defensive quoting (e.g., shlex.quote or equivalent) to all user-controlled values passed to bash_command templates
• Restrict Dag.can_trigger permissions to trusted users and implement input validation on trigger API conf payloads
• Review trigger API access controls in multi-team or hosted Airflow deployments to reduce attack surface
• Reference prior documentation-pattern CVEs CVE-2025-50213 and CVE-2025-27018 for additional hardening guidance

Evidence notes

CVE published 2026-06-01. Documentation correction merged in PR 64129. CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine) identified by Apache security team. Same vulnerability class as CVE-2025-50213 and CVE-2025-27018.

Official resources