Path Traversal Vulnerability in Apache Airflow SFTP Provider
CVE-2026-50203

9.1CRITICAL

Key Information:

Vendor

Apache

Vendor
CVE Published:
17 June 2026

What is CVE-2026-50203?

A path traversal vulnerability exists in the SFTP provider of Apache Airflow, specifically within the functions responsible for retrieving directory entries. This flaw can be exploited by a malicious remote SFTP server to manipulate files, enabling the server to write files outside the intended local destination directory. This attack is particularly concerning as it does not require a valid Airflow account, exposing any deployment that retrieves directories from an untrusted SFTP source to potential exploitation. Users are encouraged to upgrade to version 5.8.1 or later of the 'apache-airflow-providers-sftp' to mitigate this risk.

Affected Version(s)

Apache Airflow SFTP provider 0 < 5.8.1

References

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

secuholic
Venkatraman Kumar (r3dw0lfsec), Securin
Jarek Potiuk
.