SSH Host-Key Verification Issue in Apache Airflow Providers-Google
CVE-2026-45361

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow Google Provider
Vendor: CVE Published:; 25 May 2026

What is CVE-2026-45361?

The Apache Airflow Providers-Google package contains a configuration flaw in the ComputeEngineSSHHook, which disables SSH host-key verification by default. This oversight can allow in-path network attackers to intercept or manipulate SSH sessions between an Airflow worker and a Compute Engine VM. It is essential for users to upgrade to version 22.0.0 or higher of the apache-airflow-providers-google to mitigate this security risk.

Affected Version(s)

Apache Airflow Google provider 0 < 22.0.0

References

https://github.com/apache/airflow/pull/66746

patch

https://lists.apache.org/thread/3lpj7ppwxp7jtp81rnxk75xvl...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 25, 2026
Vulnerability Reserved
May 11, 2026

Credit

Jarek Potiuk

CVE-2026-45361 Data

JSON