CVE-2026-50203

UNKNOWN 0.0

Apache Airflow SFTP provider: Path traversal in SFTPHook.retrieve_directory allows local file write outside the destination directory via malicious server-supplied directory-entry names

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required — the attack surface is any deployment downloading directories from an untrusted SFTP server. Upgrade `apache-airflow-providers-sftp` to 5.8.1 or later.

CWE	CWE-22
Vendor	apache software foundation
Product	apache airflow sftp provider
Published	Jun 17, 2026
Last Updated	Jun 17, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow sftp provider

Be the first to know when new unknown vulnerabilities affecting apache software foundation apache airflow sftp provider are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow SFTP provider

0 < 5.8.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/apache/airflow/pull/67985 lists.apache.org: https://lists.apache.org/thread/7f4b284oh44c1n95oq8mh1qc7y1lr9dx openwall.com: http://www.openwall.com/lists/oss-security/2026/06/16/3

Credits

secuholic Venkatraman Kumar (r3dw0lfsec), Securin Jarek Potiuk