CVE-2025-62503

CVE-2025-62503: Apache Airflow: Privilege boundary bypass in bulk APIs (create action can upsert existing Pools/Connections/Variables)

Vendor Apache Software Foundation
Product Apache Airflow
Weakness CWE-250
Published October 30, 2025
Last update October 30, 2025
View on NVD All CVEs

CVSS base score

What the vulnerability does

Description

User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action.

Key dates

Disclosure timeline

October 30, 2025 CVE published
October 30, 2025 Record updated