CVE-2022-40127

HIGH NUCLEI LAB

Apache Airflow < 2.4.0 - Authenticated Remote Code Execution via Run ID Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-40127. PoCs published by Mr-xn, jakabakos. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a functional proof-of-concept for CVE-2022-40127, demonstrating RCE in Apache Airflow < 2.4.0 via command injection in the `example_bash_operator` DAG. It includes Docker setup instructions and two PoC methods: one via DAG configuration and another via API endpoint exploitation.

Description

A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.

Exploits (2)

nomisec WORKING POC 41 stars
by Mr-xn · poc
https://github.com/Mr-xn/CVE-2022-40127

This repository provides a functional proof-of-concept for CVE-2022-40127, demonstrating RCE in Apache Airflow < 2.4.0 via command injection in the `example_bash_operator` DAG. It includes Docker setup instructions and two PoC methods: one via DAG configuration and another via API endpoint exploitation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Airflow < 2.4.0
Auth required
Prerequisites: Access to Airflow web interface or API · Valid credentials for authenticated endpoints
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 2 stars
by jakabakos · poc
https://github.com/jakabakos/CVE-2022-40127-Airflow-RCE

This repository contains a functional exploit for CVE-2022-40127, an RCE vulnerability in Apache Airflow versions prior to 2.4.0. The exploit leverages the `example_bash_operator` DAG to execute arbitrary commands via a crafted `run_id` parameter, demonstrating a reverse shell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Airflow < 2.4.0
Auth required
Prerequisites: Valid Airflow credentials · Access to the Airflow UI · Presence of the `example_bash_operator` DAG
devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

AirFlow < 2.4.0 - Remote Code Execution
HIGHVERIFIEDby DhiyaneshDk,ritikchaddha
Shodan: title:"Sign In - Airflow" || http.title:"airflow - dags" || http.html:"apache airflow" || http.title:"sign in - airflow" || product:"redis"
FOFA: title="sign in - airflow" || apache airflow || title="airflow - dags" || http.html:"apache airflow"

References (3)

Core 3
Core References
Patch, Third Party Advisory
https://github.com/apache/airflow/pull/25960
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2022/11/14/2

Scores

CVSS v3 8.8
EPSS 0.9331
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull postgres:13
docker pull redis:latest

Details

CWE
CWE-94
Status published
Products (2)
apache/airflow < 2.4.0
pypi/apache-airflow 0 - 2.4.0PyPI
Published Nov 14, 2022
Tracked Since Feb 18, 2026