CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-qf38-jq28-3ccq: Apache Airflow SFTP provider: Path traversal in SFTPHook.retrieve_directory

criticalCVSS 9.1CVE-2026-50203
A path traversal in the SFTP provider (SFTPHook.retrieve_directory / SFTPOperator(operation=get)) let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required — the attack surface is any deployment downloading directories from an untrusted SFTP server. Upgrade apache-airflow-providers-sftp to 5.8.1 or later.

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
critical — CVSS 9.1
Published
2026-06-17
Last updated
2026-07-09
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-qf38-jq28-3ccq

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-50203coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories