Path Traversal Vulnerability in Apache Airflow SFTP Provider
CVE-2026-50203

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow Sftp Provider
Vendor: CVE Published:; 17 June 2026

What is CVE-2026-50203?

A path traversal vulnerability exists in the SFTP provider of Apache Airflow, specifically within the functions responsible for retrieving directory entries. This flaw can be exploited by a malicious remote SFTP server to manipulate files, enabling the server to write files outside the intended local destination directory. This attack is particularly concerning as it does not require a valid Airflow account, exposing any deployment that retrieves directories from an untrusted SFTP source to potential exploitation. Users are encouraged to upgrade to version 5.8.1 or later of the 'apache-airflow-providers-sftp' to mitigate this risk.

Affected Version(s)

Apache Airflow SFTP provider 0 < 5.8.1

References

https://github.com/apache/airflow/pull/67985

patch

https://lists.apache.org/thread/7f4b284oh44c1n95oq8mh1qc7...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
Jun 4, 2026

Credit

secuholic

Venkatraman Kumar (r3dw0lfsec), Securin

Jarek Potiuk

CVE-2026-50203 Data

JSON