High severityNVD Advisory· Published Mar 9, 2026· Updated Mar 10, 2026
Apache Airflow Providers Http: Unsafe Pickle Deserialization in apache-airflow-providers-http leading to RCE via HttpOperator
CVE-2025-69219
Description
A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low.
You should upgrade to version 6.0.0 of the provider to avoid even that risk.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-airflow-providers-httpPyPI | < 6.0.0 | 6.0.0 |
Affected products
6- osv-coords5 versionspkg:apk/chainguard/airflow-2pkg:apk/chainguard/airflow-3pkg:apk/chainguard/airflow-core-2pkg:apk/wolfi/airflow-3pkg:pypi/apache-airflow-providers-http
< 2.11.2-r0+ 4 more
- (no CPE)range: < 2.11.2-r0
- (no CPE)range: < 3.1.8-r0
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 3.1.8-r0
- (no CPE)range: < 6.0.0
- Range: 5.1.0
Patches
Vulnerability mechanics
References
6- github.com/apache/airflow/pull/61662ghsapatchWEB
- github.com/advisories/GHSA-9r5j-7r2x-rv4gghsaADVISORY
- lists.apache.org/thread/zjkfb2njklro68tqzym092r4w65m5dq0ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-69219ghsaADVISORY
- www.openwall.com/lists/oss-security/2026/03/09/1ghsaWEB
- github.com/apache/airflow/commit/97839f7b0a8ae66d6079bb7fad5a363068f61617ghsaWEB
News mentions
0No linked articles in our index yet.