CVE-2025-62402

MEDIUM 5.4

Apache Airflow: Airflow 3 API: /api/v2/dagReports executes DAG Python in API

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

0th

API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available.

CWE	CWE-250
Vendor	apache software foundation
Product	apache airflow
Published	Oct 30, 2025
Last Updated	Feb 26, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow

Be the first to know when new medium vulnerabilities affecting apache software foundation apache airflow are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow

3.0.0 < 3.1.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lists.apache.org: https://lists.apache.org/thread/vbzxnxn031wb998hsd7vqnvh4z8nx6rs openwall.com: http://www.openwall.com/lists/oss-security/2025/10/29/7

Credits

🔍 kwkr (https://github.com/kwkr)