CVE-2025-69219

HIGH

Apache Airflow - Code Injection

Title source: llm

Description

A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low. You should upgrade to version 6.0.0 of the provider to avoid even that risk.

Exploits (1)

nomisec WORKING POC

by ahmetartuc · poc

https://github.com/ahmetartuc/poc-cve-2025-69219

View Code ZIP pw:eip

References (3)

[Issue Tracking] https://github.com/apache/airflow/pull/61662

[Mailing List] https://lists.apache.org/thread/zjkfb2njklro68tqzym092r4w65m5dq0

[Mailing List] http://www.openwall.com/lists/oss-security/2026/03/09/1

Scores

CVSS v3 8.8

EPSS 0.0001

EPSS Percentile 2.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-913

Status draft

Affected Products (1)

pypi/apache-airflow-providers-http < 6.0.0PyPI

Timeline

Published Mar 09, 2026

Tracked Since Mar 09, 2026