Severity
High
Analysis Summary
CVE-2026-25604 CVSS:8.1
Apache Airflow Providers Amazon could allow a remote authenticated attacker to bypass authentication and gain access to different instances with potentially different access controls, caused by the origin of the SAML authentication being used as provided by the client and not verified against the actual instance URL.
CVE-2025-69219 CVSS:7.8
Apache Airflow Providers Http could allow a local authenticated attacker to execute arbitrary code on the system, caused by an unsafe pickle deserialization flaw.
Impact
- Security Bypass
- Code Execution
Indicators of Compromise
CVE
CVE-2026-25604
CVE-2025-69219
Affected Vendors
Apache
Affected Products
- Apache Airflow Providers Amazon - 8.0.0 - 9.21.0
- Apache Airflow Providers Http - 5.1.0 - 5.6.4
Remediation
Upgrade to the latest version, available from the Apache Website.