CVE-2025-62503: 
Apache Airflow vulnerability analysis and mitigation

A privilege boundary bypass vulnerability was discovered in Apache Airflow versions 3.0.0 to 3.1.1, identified as CVE-2025-62503. The vulnerability was discovered by Maciej Kawka and publicly disclosed on October 29, 2025. The issue affects the bulk API functionality in Apache Airflow, specifically impacting the management of Pools, Connections, and Variables components (OSS Security).

The vulnerability has been assigned a CVSS v3.1 base score of 4.6 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N. The issue is classified under CWE-250 (Execution with Unnecessary Privileges). The vulnerability exists in the bulk create APIs for Pools, Connections, and Variables, where the authorization check for UPDATE permission was bypassed when using the actiononexistence='overwrite' parameter in bulk requests (Miggo).

The vulnerability allows users with only CREATE privileges to modify existing records in the system, effectively bypassing the intended access control mechanisms. This could lead to unauthorized modification of Pools, Connections, and Variables within Apache Airflow, potentially impacting the integrity of workflow configurations (OSS Security).

The vulnerability has been fixed in Apache Airflow version 3.1.1. The fix involves updating the security decorator functions (requiresaccesspoolbulk, requiresaccessconnectionbulk, and requiresaccessvariable_bulk) to properly check for UPDATE permissions when handling bulk create actions with overwrite parameters (Miggo).