Main Vulnerability Database Vulnerabilities #VU120172

#VU120172 Missing Authentication for Critical Function in Apache Airflow Providers Edge3 - CVE-2025-67895

Published: December 17, 2025

Vulnerability identifier: #VU120172

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-67895

CWE-ID: CWE-306

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Apache Airflow Providers Edge3

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due to the application exposes Edge3 Worker RPC via API endpoints. A remote Dag author can use the exposed endpoints to execute arbitrary code on the system.

The vulnerability affects Edge3 provider installations on Airflow 2.

Remediation

Install updates from vendor's website.

External links

https://lists.apache.org/thread/630lqp2xp74hqc3p73yglkynmm2tnlm6

#VU120172 Missing Authentication for Critical Function in Apache Airflow Providers Edge3 - CVE-2025-67895

Description

Remediation

External links

Please verify you're human