Path Traversal Vulnerability in Apache Airflow's Google Provider Operators
CVE-2026-49297
What is CVE-2026-49297?
The vulnerability affects Apache Airflow's Google provider operators, specifically GCSToSFTPOperator and GCSTimeSpanFileTransformOperator. These operators are susceptible to a path traversal vulnerability that arises from the handling of GCS object names returned by the bucket listing API. The operators directly concatenate these object names to destination filesystem paths without proper normalization or containment checks. This can allow a malicious user, who holds write access to the GCS bucket, to exploit the naming mechanism to introduce .. segments in the object names. As a result, it may permit the overwriting of arbitrary files on the SFTP server, which could lead to significant disruptions or data loss. It is recommended to upgrade to apache-airflow-providers-google version 22.2.1 or later to mitigate this risk.
Affected Version(s)
Apache Airflow Google provider 0 < 22.2.1