CVE-2026-45361

HIGH 8.1

Apache Airflow Google provider: SSH host key verification disabled in ComputeEngineSSHHook (paramiko AutoAddPolicy default)

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

Apache Airflow providers-google's `ComputeEngineSSHHook` disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to `apache-airflow-providers-google` 22.0.0 or later.

CWE	CWE-322
Vendor	apache software foundation
Product	apache airflow google provider
Published	May 25, 2026
Last Updated	Jun 1, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow google provider

Be the first to know when new high vulnerabilities affecting apache software foundation apache airflow google provider are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow Google provider

0 < 22.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/apache/airflow/pull/66746 lists.apache.org: https://lists.apache.org/thread/[email protected] openwall.com: http://www.openwall.com/lists/oss-security/2026/05/24/9

Credits

anonymous Jarek Potiuk