CVE-2025-62503

MEDIUM4.6EPSS 0.23%

Apache Airflow: Privilege boundary bypass in bulk APIs (create action can upsert existing Pools/Connections/Variables)

Published: 10/30/2025Modified: 11/6/2025
Also known as:GHSA-gp5f-cx7h-8q6fBIT-airflow-2025-62503

Description

User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action.

Affected packages (2)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1MEDIUM4.6CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

References (5)