FKIE_CVE-2025-69219

Vulnerability from fkie_nvd - Published: 2026-03-09 11:16 - Updated: 2026-03-10 18:58
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low. You should upgrade to version 6.0.0 of the provider to avoid even that risk.
References
security@apache.orghttps://github.com/apache/airflow/pull/61662Issue Tracking, Patch
security@apache.orghttps://lists.apache.org/thread/zjkfb2njklro68tqzym092r4w65m5dq0Mailing List
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2026/03/09/1Mailing List, Third Party Advisory
Impacted products
Vendor Product Version
apache airflow_providers_http *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:airflow_providers_http:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B59A3356-B515-48EC-A6ED-060EC1F4A025",
              "versionEndExcluding": "6.0.0",
              "versionStartIncluding": "5.1.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low.\n\nYou should upgrade to version 6.0.0 of the provider to avoid even that risk."
    },
    {
      "lang": "es",
      "value": "Un usuario con acceso a la base de datos podr\u00eda crear una entrada en la base de datos que resultar\u00eda en la ejecuci\u00f3n de c\u00f3digo en Triggerer, lo que otorga a cualquiera que tenga acceso a la base de datos los mismos permisos que a Dag Author. Dado que el acceso directo a la base de datos no es habitual ni recomendado para Airflow, la probabilidad de que cause alg\u00fan da\u00f1o es baja.\n\nDeber\u00eda actualizar a la versi\u00f3n 6.0.0 del proveedor para evitar incluso ese riesgo."
    }
  ],
  "id": "CVE-2025-69219",
  "lastModified": "2026-03-10T18:58:35.607",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-09T11:16:05.907",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/apache/airflow/pull/61662"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.apache.org/thread/zjkfb2njklro68tqzym092r4w65m5dq0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2026/03/09/1"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-913"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.