Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN270
_____________________________________________________________________

DATE                : 09/03/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airflow Providers Http
                         versions prior to 6.0.0.

=====================================================================
https://lists.apache.org/thread/bon39m7hy3myvxlnj90k07m22ofh7zm4
_____________________________________________________________________

CVE-2025-69219: Apache Airflow Providers Http: Unsafe Pickle
Deserialization in apache-airflow-providers-http leading to RCE via
HttpOperator

Severity: Low 

Affected versions:

- Apache Airflow Providers Http (apache-airflow-providers-http) 5.1.0
before 6.0.0

Description:

A user with access to the DB could craft a database entry that would
result in executing code on Triggerer - which gives anyone who have
access to DB the same permissions as Dag Author. Since direct DB
access is not usual and recommended for Airflow, the likelihood of
it making any damage is low.

You should upgrade to version 6.0.0 of the provider to avoid even
that risk.

Credit:

skypher (finder)
Shauryae1337 (GitHub: https://github.com/Shauryae1337) (finder)
Ahmet Artuç (finder)

References:

https://github.com/apache/airflow/pull/61662
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-69219


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================