Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Apache Airflow HTTP Provider Allows Unauthorized Code Execution
CVE-2025-69219
GHSA-9r5j-7r2x-rv4g
GHSA-9r5j-7r2x-rv4g
Summary
A security issue in Apache Airflow's HTTP provider could allow an attacker with database access to gain the same permissions as the creator of a data processing task. This is unlikely to happen if users don't directly access the database, but it's still a good idea to update to version 6.0.0 of the provider to be safe.
What to do
- Update apache-airflow-providers-http to version 6.0.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | apache-airflow-providers-http | <= 6.0.0 | 6.0.0 |
| apache | airflow_providers_http | > 5.1.0 , <= 6.0.0 | – |
Original title
Apache Airflow Providers Http has Unsafe Pickle Deserializatio leading to RCE via HttpOperator
Original description
A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low.
Users should upgrade to version 6.0.0 of the provider to avoid even that risk.
Users should upgrade to version 6.0.0 of the provider to avoid even that risk.
Vulnerability type
CWE-913
- https://github.com/apache/airflow/pull/61662
- https://lists.apache.org/thread/zjkfb2njklro68tqzym092r4w65m5dq0
- http://www.openwall.com/lists/oss-security/2026/03/09/1
- https://nvd.nist.gov/vuln/detail/CVE-2025-69219
- https://github.com/apache/airflow/commit/97839f7b0a8ae66d6079bb7fad5a363068f6161...
- https://github.com/advisories/GHSA-9r5j-7r2x-rv4g
- https://github.com/apache/airflow Product
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026