CVE-2026-49486 - Vulnerability Details - OpenCVE

The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using `FTPSHook` or `FTPSFileTransmitOperator` to move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to `3.15.1` or later, which issues `PROT P` to encrypt the data channel.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products

References

Link	Providers
https://github.com/apache/airflow/pull/67946
https://lists.apache.org/thread/gwnsxlt9hfj5pc543wxtogbnjdn04xj1

History

Fri, 26 Jun 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using `FTPSHook` or `FTPSFileTransmitOperator` to move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to `3.15.1` or later, which issues `PROT P` to encrypt the data channel.
Title		Apache Airflow FTP provider: FTP Provider does not protect FTPS data channel (missing PROT_P)
Weaknesses		CWE-319
References		https://github.com/apache/airflow/pull/67946 https://lists.apache.org/thread/gwnsxlt9hfj5pc543wxtogbnjdn04xj1

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-06-26T07:05:39.182Z

Updated: 2026-06-26T07:05:39.182Z

Reserved: 2026-05-31T01:40:24.353Z

Link: CVE-2026-49486

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T08:30:04Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-49486", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-05-31T01:40:24.353Z", "datePublished": "2026-06-26T07:05:39.182Z", "dateUpdated": "2026-06-26T07:05:39.182Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://pypi.python.org", "defaultStatus": "unaffected", "packageName": "apache-airflow-providers-ftp", "product": "Apache Airflow FTP provider", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "3.15.1", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Andrew Rukin (Arenadata)"}, {"lang": "en", "type": "remediation developer", "value": "Shubham Raj"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using `FTPSHook` or `FTPSFileTransmitOperator` to move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to `3.15.1` or later, which issues `PROT P` to encrypt the data channel."}], "value": "The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using `FTPSHook` or `FTPSFileTransmitOperator` to move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to `3.15.1` or later, which issues `PROT P` to encrypt the data channel."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CWE-319: Cleartext Transmission of Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-06-26T07:05:39.182Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/apache/airflow/pull/67946"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/gwnsxlt9hfj5pc543wxtogbnjdn04xj1"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Airflow FTP provider: FTP Provider does not protect FTPS data channel (missing PROT_P)", "x_generator": {"engine": "airflow-s/generate_cve_json.py"}}}}