CVE-2025-69219

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-69219
A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low. You should upgrade to version 6.0.0 of the provider to avoid even that risk.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/apache/airflow/pull/61662 Issue Tracking Patch
https://lists.apache.org/thread/zjkfb2njklro68tqzym092r4w65m5dq0 Mailing List
http://www.openwall.com/lists/oss-security/2026/03/09/1 Mailing List Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:airflow_providers_http:*:*:*:*:*:*:*:*
History

10 Mar 2026, 18:58

Type Values Removed Values Added
First Time Apache airflow Providers Http
Apache
Summary
  • (es) Un usuario con acceso a la base de datos podría crear una entrada en la base de datos que resultaría en la ejecución de código en Triggerer, lo que otorga a cualquiera que tenga acceso a la base de datos los mismos permisos que a Dag Author. Dado que el acceso directo a la base de datos no es habitual ni recomendado para Airflow, la probabilidad de que cause algún daño es baja. Debería actualizar a la versión 6.0.0 del proveedor para evitar incluso ese riesgo.
CPE cpe:2.3:a:apache:airflow_providers_http:*:*:*:*:*:*:*:*
References () https://github.com/apache/airflow/pull/61662 - () https://github.com/apache/airflow/pull/61662 - Issue Tracking, Patch
References () https://lists.apache.org/thread/zjkfb2njklro68tqzym092r4w65m5dq0 - () https://lists.apache.org/thread/zjkfb2njklro68tqzym092r4w65m5dq0 - Mailing List
References () http://www.openwall.com/lists/oss-security/2026/03/09/1 - () http://www.openwall.com/lists/oss-security/2026/03/09/1 - Mailing List, Third Party Advisory

09 Mar 2026, 16:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.8

09 Mar 2026, 11:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-09 11:16

Updated : 2026-03-10 18:58

NVD link : CVE-2025-69219

Mitre link : CVE-2025-69219

CVE.ORG link : CVE-2025-69219

JSON object : View

Products Affected

apache

  • airflow_providers_http
CWE
CWE-913

Improper Control of Dynamically-Managed Code Resources