CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-49486: The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the da

highCVSS 7.5CVE-2026-49486
The Apache Airflow FTP provider's FTPSHook.get_conn() created an ftplib.FTP_TLS connection but never called prot_p(), so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using FTPSHook or FTPSFileTransmitOperator to move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to 3.15.1 or later, which issues PROT P to encrypt the data channel.

Details

Source
NVD Recent CVEs (US · database · site)
Severity
high — CVSS 7.5
Published
2026-06-26
Last updated
2026-06-26
Exploitation
Not in CISA KEV at last sync

Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-49486

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-49486coverage & exploitation statusNVD · CVE.org

More from NVD Recent CVEs