A vulnerability has been found in Apache Airflow up to 3.2.1 and classified as critical . Impacted is an unknown function of the file dag_run.conf of the component BashOperator . The manipulation leads to improper neutralization of special elements used in a template engine. This vulnerability is traded as CVE-2026-42252 . It is possible to initiate the attack remotely. There is no exploit available. The affected component should be upgraded.