MEDIUM 4.6
PYSEC-2026-1133
Apache Airflow's create action can upsert existing Pools/Connections/Variables
Details
User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / apache-airflow
Introduced in:
3.0.0 Fixed in: 3.1.1 Fix
pip install --upgrade 'apache-airflow>=3.1.1' References
- https://nvd.nist.gov/vuln/detail/CVE-2025-62503 [ADVISORY]
- https://github.com/apache/airflow [PACKAGE]
- https://lists.apache.org/thread/ov923dyccwbv01v9mhcv7t7ykzobycfo [WEB]
- http://www.openwall.com/lists/oss-security/2025/10/29/8 [WEB]
- https://pypi.org/project/apache-airflow [PACKAGE]
- https://github.com/advisories/GHSA-gp5f-cx7h-8q6f [ADVISORY]