Cyber Resilience

CVE-2022-40127

HighRCE

Published: 14 November 2022

Published
14 November 2022
Modified
30 April 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9331 99.8th percentile
Risk Priority 74 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-40127 is a high-severity Code Injection (CWE-94) vulnerability in Apache Airflow. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A vulnerability in the Example Dags component of Apache Airflow permits command injection through the manually supplied run_id parameter when DAGs are triggered. The flaw, tracked as CWE-94, affects all versions prior to 2.4.0 and carries a CVSS 3.1 base score of 8.8.

An authenticated user who already possesses UI access and the ability to trigger DAGs can supply a crafted run_id value to execute arbitrary commands on the underlying system, achieving full confidentiality, integrity, and availability impact within the Airflow deployment.

Advisories and the associated pull request 25960 indicate that the issue is resolved by upgrading to Apache Airflow 2.4.0 or later.

The EPSS score has remained consistently high, reaching a peak of 0.9385 with a current value of 0.9331.

EU & UK References

Vulnerability details

A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
airflow
≤ 2.4.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References