Path Traversal Vulnerability in Apache Airflow SFTP Provider
CVE-2026-50203
9.1CRITICAL
What is CVE-2026-50203?
A path traversal vulnerability exists in the SFTP provider of Apache Airflow, specifically within the functions responsible for retrieving directory entries. This flaw can be exploited by a malicious remote SFTP server to manipulate files, enabling the server to write files outside the intended local destination directory. This attack is particularly concerning as it does not require a valid Airflow account, exposing any deployment that retrieves directories from an untrusted SFTP source to potential exploitation. Users are encouraged to upgrade to version 5.8.1 or later of the 'apache-airflow-providers-sftp' to mitigate this risk.
Affected Version(s)
Apache Airflow SFTP provider 0 < 5.8.1
References
CVSS V3.1
Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
secuholic
Venkatraman Kumar (r3dw0lfsec), Securin
Jarek Potiuk