CVE-2025-62402

CVE-2025-62402: Apache Airflow: Airflow 3 API: /api/v2/dagReports executes DAG Python in API

Vendor Apache Software Foundation

Product Apache Airflow

Weakness CWE-250

Published October 30, 2025

Last update February 26, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available.

Key dates

Disclosure timeline

October 30, 2025 CVE published

February 26, 2026 Record updated