PT-2026-24022 · Apache · Apache Airflow Ftp Provider
Ahmet Artuç
+2
·
Published
2026-03-08
·
Updated
2026-03-14
·
CVE-2025-69219
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Apache Airflow Providers Http versions prior to 6.0.0
Description
A user with database access can create a malicious database entry that executes code on the Triggerer, granting them the same permissions as a Dag Author. Direct database access is not typical for Airflow, reducing the likelihood of exploitation. The issue involves unsafe pickle deserialization in the
HttpOperator.Recommendations
Upgrade to version 6.0.0 of the provider to address the issue.
Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Airflow Ftp Provider