CVE-2025-30473 – Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection

https://notcve.org/view.php?id=CVE-2025-30473

07 Apr 2025 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow Common SQL Provider. When using the partition clause in SQLTableCheckOperator as parameter (which was a recommended pattern), Authenticated UI User could inject arbitrary SQL command when triggering DAG exposing partition_clause to the user. This allowed the DAG Triggering user to escalate privileges to execute those arbitrary commands which they normally would not have. This issue affects Ap... • https://github.com/apache/airflow/pull/48098 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •