Skip to content

Update dependency apache-airflow-providers-http to v6 [SECURITY]#14363

Open
renovate-bot wants to merge 1 commit into
GoogleCloudPlatform:mainfrom
renovate-bot:renovate/pypi-apache-airflow-providers-http-vulnerability
Open

Update dependency apache-airflow-providers-http to v6 [SECURITY]#14363
renovate-bot wants to merge 1 commit into
GoogleCloudPlatform:mainfrom
renovate-bot:renovate/pypi-apache-airflow-providers-http-vulnerability

Conversation

@renovate-bot

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
apache-airflow-providers-http (changelog) ==4.4.2==6.0.0 age confidence

Apache Airflow Providers Http has Unsafe Pickle Deserializatio leading to RCE via HttpOperator

CVE-2025-69219 / GHSA-9r5j-7r2x-rv4g

More information

Details

A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low.

Users should upgrade to version 6.0.0 of the provider to avoid even that risk.

Severity

  • CVSS Score: 8.8 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate-bot renovate-bot requested review from a team as code owners June 30, 2026 18:05
@trusted-contributions-gcf trusted-contributions-gcf Bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels Jun 30, 2026
@product-auto-label product-auto-label Bot added samples Issues that are directly related to samples. api: composer Issues related to the Managed Service for Apache Airflow API. labels Jun 30, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the apache-airflow-providers-http dependency to version 6.0.0 in requirements.txt. The reviewer noted that constraints.txt should also be updated to match this version to avoid potential installation conflicts.

apache-airflow-providers-apache-beam==5.1.1
apache-airflow-providers-slack==7.3.2
apache-airflow-providers-http==4.4.2
apache-airflow-providers-http==6.0.0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The dependency apache-airflow-providers-http is updated to 6.0.0 here, but constraints.txt still contains apache-airflow-providers-http==4.4.2 on line 122. Updating constraints.txt to match this version prevents installation conflicts when constraints are applied.

@kokoro-team kokoro-team removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

api: composer Issues related to the Managed Service for Apache Airflow API. owlbot:run Add this label to trigger the Owlbot post processor. samples Issues that are directly related to samples.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants