Vulnerability in FTP Provider of Apache Airflow Affects Data Transmission Security
CVE-2026-49486

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow Ftp Provider
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-49486?

The Apache Airflow FTP provider features a vulnerability wherein the FTPSHook.get_conn() method establishes an ftplib.FTP_TLS connection without invoking prot_p(). As a result, while the control channel benefits from TLS protection, the data channel transmits contents, including sensitive files and credentials, unencrypted. This flaw poses a risk for deployments utilizing FTPSHook or FTPSFileTransmitOperator for file transfers over FTPS, enabling potential interception by network attackers. To mitigate this risk, it is essential to upgrade to apache-airflow-providers-ftp version 3.15.1 or later, which ensures that the PROT P command is issued to secure the data channel.

Affected Version(s)

Apache Airflow FTP provider 0 < 3.15.1

References

https://github.com/apache/airflow/pull/67946

patch

https://lists.apache.org/thread/gwnsxlt9hfj5pc543wxtogbnj...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
May 31, 2026

Credit

Andrew Rukin (Arenadata)

Shubham Raj

CVE-2026-49486 Data

JSON