CVE-2025-62503

MEDIUM

Apache Airflow 3.0.0 through 3.1.1 - Privilege Escalation

Title source: llm
STIX 2.1

Description

User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action.

References (2)

Scores

CVSS v3 4.6
EPSS 0.0018
EPSS Percentile 38.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-250
Status published
Products (2)
apache/airflow 3.0.0 - 3.1.1
pypi/apache-airflow 3.0.0 - 3.1.1PyPI
Published Oct 30, 2025
Tracked Since Feb 18, 2026