๐Ÿ” CVE Alert

CVE-2026-49297

HIGH 8.1

Apache Airflow Google provider: Path traversal via GCS object names โ†’ local/SFTP filesystem (GCSToSFTPOperator + GCSTimeSpanFileTransformOperator)

CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th

Apache Airflow's Google provider operators `GCSToSFTPOperator` and `GCSTimeSpanFileTransformOperator` joined GCS object names returned by the bucket listing API directly to a destination filesystem path without normalisation or containment check. A user with write access to the source GCS bucket (typically a different trust principal than the DAG author โ€” partner uploads, ingest-only service accounts, public-data buckets) could create an object whose name contains `..` segments and cause the DAG run to write the downloaded blob outside the configured destination (the SFTP `destination_path` for `GCSToSFTPOperator`; the worker-local temp directory for `GCSTimeSpanFileTransformOperator`), enabling overwrite of arbitrary files on the SFTP server or the worker host. Affects deployments that ingest from buckets writable by less-trusted principals. Users are advised to upgrade to `apache-airflow-providers-google` 22.2.1 or later.

CWE CWE-22
Vendor apache software foundation
Product apache airflow google provider
Published Jul 6, 2026
Last Updated Jul 6, 2026
Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow google provider

Be the first to know when new high vulnerabilities affecting apache software foundation apache airflow google provider are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow Google provider
0 < 22.2.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/apache/airflow/pull/67667 lists.apache.org: https://lists.apache.org/thread/[email protected] openwall.com: http://www.openwall.com/lists/oss-security/2026/07/04/8

Credits

anonymous Jarek Potiuk