Improper Access Control

apacheairflow is vulnerable to improper access control. The vulnerability is due to insufficient authorization checks in the bulk create API with the overwrite action, which allows an attacker with only CREATE privileges to update existing Pools, Connections, and Variables without having UPDATE...

BIT-AIRFLOW-2025-62503 Apache Airflow: Privilege boundary bypass in bulk APIs (create action can upsert existing Pools/Connections/Variables)

User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action...

EUVD-2025-36995

Apache Airflow's create action can upsert existing Pools/Connections/Variables...

CVE-2025-62503

CVE-2025-62503 – Apache Airflow: Privilege boundary bypass in bulk APIs allows a user with CREATE (but not UPDATE) for Pools, Connections, and Variables to update existing records via the bulk create API with an overwrite action. Multiple sources (BIT-AIRFLOW-2025-62503, EUVD, Red Hat/CISA refere...

CVE-2025-62503 Apache Airflow: Privilege boundary bypass in bulk APIs (create action can upsert existing Pools/Connections/Variables)

User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action...

PT-2025-44369

Name of the Vulnerable Software and Affected Versions Versions prior to 2025-62503 Description A user possessing CREATE privilege but lacking UPDATE privilege for Pools, Connections, and Variables can modify existing records through the bulk create API utilizing the overwrite action. This allows...