CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-49297

highCVSS 8.1covered by 2 sourcesfirst seen 2026-07-06
Apache Airflow's Google provider operators GCSToSFTPOperator and GCSTimeSpanFileTransformOperator joined GCS object names returned by the bucket listing API directly to a destination filesystem path without normalisation or containment check. A user with write access to the source GCS bucket (typically a different trust principal than the DAG author — partner uploads, ingest-only service accounts, public-data buckets) could create an object whose name contains .. segments and cause the DAG run to write the downloaded blob outside the configured destination (the SFTP destination_path for GCSToSFTPOperator; the worker-local temp directory for GCSTimeSpanFileTransformOperator), enabling overwrite of arbitrary files on the SFTP server or the worker host. Affects deployments that ingest from buckets writable by less-trusted principals. Users are advised to upgrade to apache-airflow-providers-google 22.2.1 or later.

CSIRTS triage

What
A vulnerability allows an attacker to manipulate files within Apache Airflow.
Who is affected
Deployments of Apache Airflow are affected by this vulnerability.
Urgency
Remediation is medium urgency as the severity is medium and exploitation is not currently reported.
Action
Update to the latest version of Apache Airflow to address this vulnerability.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-49297

Get an email if CVE-2026-49297 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-49297

CVE.org record

Embed the live status

CVE-2026-49297 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-49297 status](https://www.csirts.com/badge/CVE-2026-49297)](https://www.csirts.com/cve/CVE-2026-49297)