Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-2u2j-n9c2-3bbn
Vulnerability ID VCID-2u2j-n9c2-3bbn
Aliases CVE-2025-62503
GHSA-gp5f-cx7h-8q6f
Summary Apache Airflow's create action can upsert existing Pools/Connections/Variables User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-250 Execution with Unnecessary Privileges
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00229 https://api.first.org/data/v1/epss?cve=CVE-2025-62503
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-gp5f-cx7h-8q6f
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-62503
https://github.com/apache/airflow
https://lists.apache.org/thread/ov923dyccwbv01v9mhcv7t7ykzobycfo
http://www.openwall.com/lists/oss-security/2025/10/29/8
CVE-2025-62503 https://nvd.nist.gov/vuln/detail/CVE-2025-62503
GHSA-gp5f-cx7h-8q6f https://github.com/advisories/GHSA-gp5f-cx7h-8q6f
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.45739
EPSS Score 0.00229
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T21:04:40.856722+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/apache-airflow/CVE-2025-62503.yml 38.6.0