CVE-2026-50203

CRITICAL

Apache Airflow Sftp Provider < 5.8.1 - Path Traversal

Title source: rule
STIX 2.1

Description

A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required — the attack surface is any deployment downloading directories from an untrusted SFTP server. Upgrade `apache-airflow-providers-sftp` to 5.8.1 or later.

References (3)

Core 3

Scores

CVSS v3 9.1
EPSS 0.0063
EPSS Percentile 45.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-22
Status published
Products (3)
apache/apache-airflow-providers-sftp < 5.8.1
Apache Software Foundation/Apache Airflow SFTP provider < 5.8.1
pypi/apache-airflow-providers-sftp 0 - 5.8.1PyPI
Published Jun 17, 2026
Tracked Since Jun 17, 2026