Sign In

CVE-2026-50203

ADVISORY - github

Summary

A path traversal in the SFTP provider (SFTPHook.retrieve_directory / SFTPOperator(operation=get)) let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required — the attack surface is any deployment downloading directories from an untrusted SFTP server. Upgrade apache-airflow-providers-sftp to 5.8.1 or later.

EPSS Score: 0.00727 (0.493)

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Impacted images

Advisories

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-qf38-jq28-3ccq
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-22

CVSS SCORE

9.1critical

PypA

CREATED

UPDATED

ADVISORY ID

PYSEC-2026-218

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

9.1critical

minimos

CREATED

UPDATED

ADVISORY ID

MINI-hx8c-679x-vwx6

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY