Apache Airflow: Privilege boundary bypass in bulk APIs (create action can upsert existing Pools/Connections/Variables)

Vulnerability

Overview

CVE-2025-62503 is a privilege boundary bypass vulnerability in Apache Airflow versions 3.0.0 before 3.1.1. The issue arises in the bulk create APIs for Pools, Connections, and Variables. A user who possesses only the CREATE privilege (and lacks the UPDATE privilege) on these resources can still modify existing records by using the bulk create API with an overwrite action [2][3]. This violates the intended access control separation, where CREATE should only allow insertion of new records, not modification of existing ones.

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must have a valid Airflow account with the CREATE permission on Pools, Connections, or Variables. No additional privileges are required. The attack is carried out by sending crafted requests to the bulk create endpoint with the overwrite parameter set to true, which causes the API to upsert the target record. This can be done without needing network access beyond normal API interaction [3].

Impact

A successful attack allows a low-privileged user to overwrite existing Pools, Connections, or Variables without having the intended UPDATE permission. This could lead to unauthorized modification of sensitive configuration data, such as connection strings or variable values, potentially enabling further compromise or disruption of workflows. The severity is rated as low by the project maintainers, but it bypasses an explicit security boundary [2][3].

Mitigation

The vulnerability is fixed in Apache Airflow version 3.1.1. Users running versions 3.0.0 through 3.1.0 should upgrade immediately. No workarounds are provided; the fix ensures that the bulk create API respects the UPDATE privilege requirement when overwriting existing records [3].