GHSA-gp5f-cx7h-8q6f

Source

https://github.com/advisories/GHSA-gp5f-cx7h-8q6f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-gp5f-cx7h-8q6f/GHSA-gp5f-cx7h-8q6f.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gp5f-cx7h-8q6f

Aliases

Downstream

MINI-pc33-m97g-x9c8

Published

2025-10-30T12:31:11Z

Modified

2025-11-06T13:59:57.638094Z

Severity

4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Apache Airflow's create action can upsert existing Pools/Connections/Variables

Details

User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action.

Database specific

{
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-250"
    ],
    "nvd_published_at": "2025-10-30T10:15:35Z",
    "github_reviewed_at": "2025-10-30T17:09:32Z"
}

References

Affected packages

PyPI / apache-airflow

Package

Name: apache-airflow; View open source insights on deps.dev
Purl: pkg:pypi/apache-airflow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.1.1

Affected versions

3.*

3.0.0

3.0.1rc1

3.0.1

3.0.2rc1

3.0.2rc2

3.0.2

3.0.3rc1

3.0.3rc2

3.0.3rc3

3.0.3rc4

3.0.3rc5

3.0.3rc6

3.0.3

3.0.4rc1

3.0.4rc2

3.0.4

3.0.5rc1

3.0.5rc2

3.0.5rc3

3.0.5

3.0.6rc1

3.0.6rc2

3.0.6

3.1.0b1

3.1.0b2

3.1.0rc1

3.1.0rc2

3.1.0

3.1.1rc1

3.1.1rc2