Security Vulnerability in Apache Airflow Git Provider by Apache
CVE-2026-58065

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
13 July 2026

What is CVE-2026-58065?

The Apache Airflow Git provider allows users to run git-over-SSH commands with host-key verification disabled by default. This misconfiguration leaves deployments susceptible to man-in-the-middle attacks, where an adversary could intercept the data exchanged between an Airflow worker and the Git server. Through this vulnerability, attackers may capture SSH deploy keys or inject harmful content into repositories. To mitigate this risk, users are advised to upgrade to apache-airflow-providers-git version 0.4.1 or later and appropriately configure a known_hosts file for SSH key verification.

Affected Version(s)

Apache Airflow Git provider 0 < 0.4.1

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Siyang Wu (independent researcher)
Ephraim Anierobi
.