Moderate severityNVD Advisory· Published Oct 30, 2025· Updated Feb 26, 2026
Apache Airflow: Airflow 3 API: /api/v2/dagReports executes DAG Python in API
CVE-2025-62402
Description
API users via /api/v2/dagReports could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-airflowPyPI | >= 3.0.0, < 3.1.1 | 3.1.1 |
Affected products
3- osv-coords2 versions
>= 3.0.0, < 3.1.1+ 1 more
- (no CPE)range: >= 3.0.0, < 3.1.1
- (no CPE)range: >= 3.0.0, < 3.1.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-273c-4g26-4jpmghsaADVISORY
- lists.apache.org/thread/vbzxnxn031wb998hsd7vqnvh4z8nx6rsghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-62402ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/10/29/7ghsaWEB
- github.com/apache/airflow/commit/828aaa0b1d95caf90612a648867c17aec7e87874ghsaWEB
- github.com/apache/airflow/pull/56609ghsaWEB
News mentions
0No linked articles in our index yet.