CVE-2022-38649
Published: 22 November 2022
Summary
CVE-2022-38649 is a critical-severity OS Command Injection (CWE-78) vulnerability in Apache Airflow. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 8.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-38649 is an OS command injection vulnerability (CWE-78) in the Apache Airflow Pinot Provider. It affects all Pinot Provider releases prior to 4.0.0 and any Apache Airflow versions before 2.3.0 when the Pinot Provider is present; the provider cannot be installed on Airflow releases older than 2.3.0, so both components must be considered together.
An unauthenticated attacker with network access can supply crafted input that is passed to operating-system commands inside the task execution context. Because the flaw does not require write access to DAG files, an adversary can achieve arbitrary command execution, resulting in full confidentiality, integrity, and availability impact on the affected Airflow deployment.
Public advisories and the referenced Apache pull request state that the issue is resolved by upgrading the Pinot Provider to version 4.0.0; this version must be installed manually even after Airflow itself has been updated to 2.3.0 or later.
EPSS for the CVE rose from lower values to a recorded peak of 0.1197 on 2025-12-11 before receding to the current score of 0.0663, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-7272
Vulnerability details
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This…
more
issue affects Apache Airflow Pinot Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Apache Airflow Pinot Provider is installed (Apache Airflow Pinot Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pinot Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.