Authorization Bypass in Apache Software Foundation's Product
CVE-2025-62503

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 30 October 2025

What is CVE-2025-62503?

An authorization bypass vulnerability exists within selected Apache Software Foundation products. Users granted the CREATE privilege, but lacking UPDATE privileges for Pools, Connections, and Variables, can exploit the bulk create API with an overwrite action. This allows them to manipulate existing records, posing a significant security risk to data integrity and system stability.

Affected Version(s)

Apache Airflow 3.0.0 < 3.1.1

References

https://lists.apache.org/thread/3v58249qscyn1hg240gh8hqg9...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 30, 2025
Vulnerability Reserved
Oct 15, 2025

Credit

Maciej Kawka

JSON