Path Traversal Vulnerability in Apache Airflow's Google Provider Operators
CVE-2026-49297

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
6 July 2026

What is CVE-2026-49297?

The vulnerability affects Apache Airflow's Google provider operators, specifically GCSToSFTPOperator and GCSTimeSpanFileTransformOperator. These operators are susceptible to a path traversal vulnerability that arises from the handling of GCS object names returned by the bucket listing API. The operators directly concatenate these object names to destination filesystem paths without proper normalization or containment checks. This can allow a malicious user, who holds write access to the GCS bucket, to exploit the naming mechanism to introduce .. segments in the object names. As a result, it may permit the overwriting of arbitrary files on the SFTP server, which could lead to significant disruptions or data loss. It is recommended to upgrade to apache-airflow-providers-google version 22.2.1 or later to mitigate this risk.

Affected Version(s)

Apache Airflow Google provider 0 < 22.2.1

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

anonymous
Jarek Potiuk
.