Authorization Bypass in Apache Software Foundation's Product
CVE-2025-62503

4.6MEDIUM

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 30 October 2025

What is CVE-2025-62503?

An authorization bypass vulnerability exists within selected Apache Software Foundation products. Users granted the CREATE privilege, but lacking UPDATE privileges for Pools, Connections, and Variables, can exploit the bulk create API with an overwrite action. This allows them to manipulate existing records, posing a significant security risk to data integrity and system stability.

Affected Version(s)

Apache Airflow 3.0.0 < 3.1.1

References

https://lists.apache.org/thread/3v58249qscyn1hg240gh8hqg9...

vendor-advisory

CVSS V3.1

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Oct 30, 2025
Vulnerability Reserved
Oct 15, 2025

Credit

Maciej Kawka

JSON