Apache Airflow Triggerer DB Code Exec, fixed v6.0.0
CVE-2025-69219 Published on March 9, 2026
Apache Airflow Providers Http: Unsafe Pickle Deserialization in apache-airflow-providers-http leading to RCE via HttpOperator
A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low.
You should upgrade to version 6.0.0 of the provider to avoid even that risk.
Vulnerability Analysis
CVE-2025-69219 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Improper Control of Dynamically-Managed Code Resources
The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements. Many languages offer powerful features that allow the programmer to dynamically create or modify existing code, or resources used by code such as variables and objects. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can directly influence these code resources in unexpected ways.
Products Associated with CVE-2025-69219
Want to know whenever a new CVE is published for Apache AirFlow? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Airflow Providers Http:- Version 5.1.0 and below 6.0.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.