CVE Catalog

CVE-2026-50203

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

12th percentile — higher than 12% of all known CVEs

Summary

A path traversal vulnerability in the SFTP provider allows a malicious or compromised remote SFTP server to write files outside the configured local destination directory. No Airflow account is required, and the attack surface includes any deployment downloading directories from an untrusted SFTP server.

Risk Assessment

Organizations may be exposed to unauthorized access to file systems, potentially leading to data loss or the introduction of malware.

Recommendation

It is recommended to upgrade the `apache-airflow-providers-sftp` package to version 5.8.1 or later to mitigate this vulnerability.

Original NVD description (English source)

A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required — the attack surface is any deployment downloading directories from an untrusted SFTP server. Upgrade `apache-airflow-providers-sftp` to 5.8.1 or later.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS