CVE-2026-49486

UNKNOWN 0.0

Apache Airflow FTP provider: FTP Provider does not protect FTPS data channel (missing PROT_P)

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using `FTPSHook` or `FTPSFileTransmitOperator` to move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to `3.15.1` or later, which issues `PROT P` to encrypt the data channel.

CWE	CWE-319
Vendor	apache software foundation
Product	apache airflow ftp provider
Published	Jun 26, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow ftp provider

Be the first to know when new unknown vulnerabilities affecting apache software foundation apache airflow ftp provider are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow FTP provider

0 < 3.15.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/apache/airflow/pull/67946 lists.apache.org: https://lists.apache.org/thread/gwnsxlt9hfj5pc543wxtogbnjdn04xj1

Credits

Andrew Rukin (Arenadata) Shubham Raj