VYPR
High severityNVD Advisory· Published Mar 9, 2026· Updated Mar 10, 2026

Apache Airflow Providers Http: Unsafe Pickle Deserialization in apache-airflow-providers-http leading to RCE via HttpOperator

CVE-2025-69219

Description

A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low.

You should upgrade to version 6.0.0 of the provider to avoid even that risk.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
apache-airflow-providers-httpPyPI
< 6.0.06.0.0

Affected products

6

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.