CVE-2026-50203 - Vulnerability Details - OpenCVE

A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required — the attack surface is any deployment downloading directories from an untrusted SFTP server. Upgrade `apache-airflow-providers-sftp` to 5.8.1 or later.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/apache/airflow/pull/67985
https://lists.apache.org/thread/7f4b284oh44c1n95oq8mh1qc7y1lr9dx

History

Wed, 17 Jun 2026 05:15:00 +0000

Type	Values Removed	Values Added
Description		A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required — the attack surface is any deployment downloading directories from an untrusted SFTP server. Upgrade `apache-airflow-providers-sftp` to 5.8.1 or later.
Title		Apache Airflow SFTP provider: Path traversal in SFTPHook.retrieve_directory allows local file write outside the destination directory via malicious server-supplied directory-entry names
Weaknesses		CWE-22
References		https://github.com/apache/airflow/pull/67985 https://lists.apache.org/thread/7f4b284oh44c1n95oq8mh1qc7y1lr9dx

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-06-17T01:47:49.652Z

Updated: 2026-06-17T01:54:11.793Z

Reserved: 2026-06-04T00:05:50.170Z

Link: CVE-2026-50203

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-50203", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-06-04T00:05:50.170Z", "datePublished": "2026-06-17T01:47:49.652Z", "dateUpdated": "2026-06-17T01:54:11.793Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://pypi.python.org", "defaultStatus": "unaffected", "packageName": "apache-airflow-providers-sftp", "product": "Apache Airflow SFTP provider", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "5.8.1", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "secuholic"}, {"lang": "en", "type": "finder", "value": "Venkatraman Kumar (r3dw0lfsec), Securin"}, {"lang": "en", "type": "remediation developer", "value": "Jarek Potiuk"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required \u2014 the attack surface is any deployment downloading directories from an untrusted SFTP server. Upgrade `apache-airflow-providers-sftp` to 5.8.1 or later."}], "value": "A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required \u2014 the attack surface is any deployment downloading directories from an untrusted SFTP server. Upgrade `apache-airflow-providers-sftp` to 5.8.1 or later."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-06-17T01:47:49.652Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/apache/airflow/pull/67985"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/7f4b284oh44c1n95oq8mh1qc7y1lr9dx"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Airflow SFTP provider: Path traversal in SFTPHook.retrieve_directory allows local file write outside the destination directory via malicious server-supplied directory-entry names", "x_generator": {"engine": "airflow-s/generate_cve_json.py"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/06/16/3"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-06-17T01:54:11.793Z"}}]}}