CVE-2025-62503

CWE-2504 documents4 sources
Severity
4.6MEDIUM
EPSS
0.2%
top 61.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache AirflowApache Airflow
Timeline
PublishedOct 30

Description

User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:NExploitability: 2.1 | Impact: 2.5

Affected Packages3 packages

NVDapache/airflow3.0.03.1.1
PyPIapache-airflow3.0.03.1.1

🔴Vulnerability Details

3
OSV
Apache Airflow's create action can upsert existing Pools/Connections/Variables2025-10-30
CVEList
Apache Airflow: Privilege boundary bypass in bulk APIs (create action can upsert existing Pools/Connections/Variables)2025-10-30
GHSA
Apache Airflow's create action can upsert existing Pools/Connections/Variables2025-10-30
CVE-2025-62503 (MEDIUM CVSS 4.6) | User with CREATE and no UPDATE priv | cvebase.io