Exploit for Improper Control of Dynamically-Managed Code Resources in Apache Airflow_Providers_Http

CVE-2025-69219 — Apache Airflow Providers HTTP RCE via Unsafe...

Improper Control of Dynamically-Managed Code Resources

Overview apache-airflow-providers-http is a Provider package apache-airflow-providers-http for Apache Airflow Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources via the HttpTrigger’s pickle-based serialization in the deferred HTTP task...

Apache Airflow Providers Http has Unsafe Pickle Deserializatio leading to RCE via HttpOperator

A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low...

CVE-2025-69219

CVE-2025-69219 affects Apache Airflow Providers HTTP. The vulnerability arises from unsafe pickle deserialization in the HTTP provider’s deferred task path, where a crafted database entry can cause the Triggerer to execute arbitrary code with the Dag Author’s permissions. Exploitation requires DB...

CVE-2025-69219 Apache Airflow Providers Http: Unsafe Pickle Deserialization in apache-airflow-providers-http leading to RCE via HttpOperator

A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low...

CVE-2025-69219 Apache Airflow Providers Http: Unsafe Pickle Deserialization in apache-airflow-providers-http leading to RCE via HttpOperator

A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low...

PT-2026-24022

Name of the Vulnerable Software and Affected Versions Apache Airflow Providers Http versions prior to 6.0.0 Description A user with database access can create a malicious database entry that executes code on the Triggerer, granting them the same permissions as a Dag Author. Direct database access...

Unsafe Pickle Deserialization in apache-airflow-providers-http leading to RCE via HttpOperator

A High severity Unsafe Deserialization vulnerability exists in the airflow.providers.http package. The HttpOperator uses pickle.loads to deserialize untrusted data received from the Triggerer service via the database in the executecomplete method. This allows an attacker who has gained write acce...

SAP NetWeaver AS Java XSS (3262544)

Due to insufficient input validation, SAP NetWeaver AS Java HTTP Provider Service - version 7.50, allows an unauthenticated attacker to inject a script into a web request header. On successful exploitation, an attacker can view or modify information causing a limited impact on the confidentiality...

Input validation

Due to insufficient input validation, SAP NetWeaver AS Java HTTP Provider Service - version 7.50, allows an unauthenticated attacker to inject a script into a web request header. On successful exploitation, an attacker can view or modify information causing a limited impact on the confidentiality...

CVE-2022-41262

Due to insufficient input validation, SAP NetWeaver AS Java HTTP Provider Service - version 7.50, allows an unauthenticated attacker to inject a script into a web request header. On successful exploitation, an attacker can view or modify information causing a limited impact on the confidentiality...

CVE-2022-41262

CVE-2022-41262 affects SAP NetWeaver AS Java (HTTP Provider Service), version 7.50. The issue is due to insufficient input validation that allows an unauthenticated attacker to inject a script into a web request header. The resulting impact is described as limited in confidentiality and integrity...