CVE-2025-69219

HIGH 8.8

Apache Airflow Providers Http: Unsafe Pickle Deserialization in apache-airflow-providers-http leading to RCE via HttpOperator

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low. You should upgrade to version 6.0.0 of the provider to avoid even that risk.

CWE	CWE-913
Vendor	apache software foundation
Product	apache airflow providers http
Published	Mar 9, 2026
Last Updated	Mar 10, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow providers http

Be the first to know when new high vulnerabilities affecting apache software foundation apache airflow providers http are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow Providers Http

5.1.0 < 6.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/apache/airflow/pull/61662 lists.apache.org: https://lists.apache.org/thread/zjkfb2njklro68tqzym092r4w65m5dq0 openwall.com: http://www.openwall.com/lists/oss-security/2026/03/09/1

Credits

skypher Shauryae1337 (GitHub: https://github.com/Shauryae1337) Ahmet Artuç