Skip to main content

Airflow Providers Http CVE-2025-69219

HIGH
Improper Control of Dynamically-Managed Code Resources (CWE-913)
2026-03-09 security@apache.org GHSA-9r5j-7r2x-rv4g
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:56 vuln.today
Patch released
Mar 10, 2026 - 18:58 nvd
Patch available
CVE Published
Mar 09, 2026 - 11:16 nvd
HIGH 8.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on apache-airflow-providers-http (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 6.0.0.

DescriptionCVE.org

A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low.

You should upgrade to version 6.0.0 of the provider to avoid even that risk.

AnalysisAI

Airflow Providers Http is affected by improper control of dynamically-managed code resources (CVSS 8.8).

Technical ContextAI

This vulnerability (CWE-913: Improper Control of Dynamically-Managed Code Resources) affects Airflow Providers Http. A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low.

You should upgrade to version 6.0.0 of the provider to avoid even that risk.

RemediationAI

A vendor patch is available — apply it immediately. Update to version 6.0.0 or later. Restrict network access to the affected service where possible.

Share

CVE-2025-69219 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy