SCA: security update for apache-airflow-providers-http (GHSA-9r5j-7r2x-rv4g)

high Tenable Cloud Security Plugin ID 438559

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- A user with access to the DB could craft a database entry that would result in executing code on Triggerer
- which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is
not usual and recommended for Airflow, the likelihood of it making any damage is low. You should upgrade
to version 6.0.0 of the provider to avoid even that risk. (CVE-2025-69219)

Solution

Update the apache-airflow-providers-http library and its related packages to version 6.0.0 or later.

See Also

https://github.com/advisories/GHSA-9r5j-7r2x-rv4g

Plugin Details

Severity: High

ID: 438559

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 3/10/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.88

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-69219

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/9/2026

Vulnerability Publication Date: 3/9/2026

Reference Information

CVE: CVE-2025-69219

cwe: CWE-913