Apache Airflow Privilege Boundary Bypass Vulnerability in Bulk Create API

Vulnerability

A vulnerability exists in Apache Airflow versions 3.0.0 prior to 3.1.1, allowing users with CREATE privileges but no UPDATE privileges for Pools, Connections, or Variables to overwrite existing records. This is achieved through the bulk create API by using the overwrite action.

Impact

Exploitation of this vulnerability allows for unauthorized modification of existing Pools, Connections, or Variables, potentially leading to unintended changes in workflow management or execution.

Added: Oct 30, 2025, 10:17 AM

Updated: Oct 30, 2025, 4:08 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

0.6

exploitability

5.2

remediation

0.0

relevance

0.9

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

0.6

exploitability

5.2

remediation

0.0

relevance

0.9

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Airflow Privilege Boundary Bypass Vulnerability in Bulk Create API

Vulnerability

Impact

Affected Products

Apache Airflow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating