CVE-2025-69219

A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low. You should upgrade to version 6.0.0 of the provider to avoid even that risk.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/apache/airflow/pull/61662	Issue Tracking Patch
https://lists.apache.org/thread/zjkfb2njklro68tqzym092r4w65m5dq0	Mailing List
http://www.openwall.com/lists/oss-security/2026/03/09/1	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:airflow_providers_http:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-09 11:16

Updated : 2026-03-10 18:58

NVD link : CVE-2025-69219

Mitre link : CVE-2025-69219

CVE.ORG link : CVE-2025-69219

JSON object : View

Products Affected

apache

airflow_providers_http

CWE

CWE-913

Improper Control of Dynamically-Managed Code Resources

{"id": "CVE-2025-69219", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-03-09T11:16:05.907", "references": [{"url": "https://github.com/apache/airflow/pull/61662", "tags": ["Issue Tracking", "Patch"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/zjkfb2njklro68tqzym092r4w65m5dq0", "tags": ["Mailing List"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/09/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-913"}]}], "descriptions": [{"lang": "en", "value": "A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low.\n\nYou should upgrade to version 6.0.0 of the provider to avoid even that risk."}, {"lang": "es", "value": "Un usuario con acceso a la base de datos podr\u00eda crear una entrada en la base de datos que resultar\u00eda en la ejecuci\u00f3n de c\u00f3digo en Triggerer, lo que otorga a cualquiera que tenga acceso a la base de datos los mismos permisos que a Dag Author. Dado que el acceso directo a la base de datos no es habitual ni recomendado para Airflow, la probabilidad de que cause alg\u00fan da\u00f1o es baja.\n\nDeber\u00eda actualizar a la versi\u00f3n 6.0.0 del proveedor para evitar incluso ese riesgo."}], "lastModified": "2026-03-10T18:58:35.607", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:airflow_providers_http:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B59A3356-B515-48EC-A6ED-060EC1F4A025", "versionEndExcluding": "6.0.0", "versionStartIncluding": "5.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}