GHSA-gp5f-cx7h-8q6f

Source

https://github.com/advisories/GHSA-gp5f-cx7h-8q6f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-gp5f-cx7h-8q6f/GHSA-gp5f-cx7h-8q6f.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gp5f-cx7h-8q6f

Aliases

Downstream

MINI-pc33-m97g-x9c8

Published

2025-10-30T12:31:11Z

Modified

2025-11-06T13:59:57.638094Z

Severity

4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Apache Airflow's create action can upsert existing Pools/Connections/Variables

Details

User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action.

Database specific

{
    "nvd_published_at": "2025-10-30T10:15:35Z",
    "github_reviewed_at": "2025-10-30T17:09:32Z",
    "cwe_ids": [
        "CWE-250"
    ],
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

PyPI / apache-airflow

Package

Name: apache-airflow; View open source insights on deps.dev
Purl: pkg:pypi/apache-airflow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.1.1

Affected versions

3.*

3.0.0

3.0.1rc1

3.0.1

3.0.2rc1

3.0.2rc2

3.0.2

3.0.3rc1

3.0.3rc2

3.0.3rc3

3.0.3rc4

3.0.3rc5

3.0.3rc6

3.0.3

3.0.4rc1

3.0.4rc2

3.0.4

3.0.5rc1

3.0.5rc2

3.0.5rc3

3.0.5

3.0.6rc1

3.0.6rc2

3.0.6

3.1.0b1

3.1.0b2

3.1.0rc1

3.1.0rc2

3.1.0

3.1.1rc1

3.1.1rc2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-gp5f-cx7h-8q6f/GHSA-gp5f-cx7h-8q6f.json"