CVE-2025-62503: Apache Airflow's create action can upsert existing Pools/Connections/Variables

October 30, 2025

User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action.

References

github.com/advisories/GHSA-gp5f-cx7h-8q6f
github.com/apache/airflow
lists.apache.org/thread/ov923dyccwbv01v9mhcv7t7ykzobycfo
nvd.nist.gov/vuln/detail/CVE-2025-62503

Code Behaviors & Features

Detect and mitigate CVE-2025-62503 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →