CVE-2025-62503: Apache Airflow's create action can upsert existing Pools/Connections/Variables

The vulnerability exists in the bulk create APIs for Pools, Connections, and Variables. A user with only CREATE permission could update existing records by specifying action_on_existence='overwrite' in the bulk request. This bypassed the authorization check for UPDATE permission.

The analysis of the patch between versions 3.1.0 and 3.1.1, specifically commit 411ddeb5d310c3d4d0fcaebf941418eef0132568, reveals the exact location of the vulnerability. The fix was implemented in the security decorator functions requires_access_pool_bulk, requires_access_connection_bulk, and requires_access_variable_bulk located in airflow/api_fastapi/core_api/security.py.

Prior to the patch, these decorators only checked for POST (create) permission on bulk create actions. The patch introduces a new helper function, _get_resource_methods_from_bulk_request, which correctly adds a check for PUT (update) permission when the overwrite option is used. The decorators were updated to use this new helper function, thus closing the privilege escalation gap. The vulnerable functions are identified as these decorators because they contained the flawed permission-checking logic.