Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN646
_____________________________________________________________________

DATE                : 18/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airflow SFTP provider
                            versions prior to 5.8.1.

=====================================================================
https://lists.apache.org/thread/yhmw2hxx2ny7z8s0zhg14ozdlt1ks1mn
_____________________________________________________________________

CVE-2026-50203: Apache Airflow SFTP provider: Path traversal in
SFTPHook.retrieve_directory allows local file write outside the
destination directory via malicious server-supplied directory-entry
names

Severity: moderate 

Affected versions:

- Apache Airflow SFTP provider (apache-airflow-providers-sftp) before
5.8.1

Description:

A path traversal in the SFTP provider
(`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let
a malicious or compromised remote SFTP server write files outside
the configured local destination directory via crafted
directory-entry names. No Airflow account is required — the attack
surface is any deployment downloading directories from an untrusted
SFTP server. Upgrade `apache-airflow-providers-sftp` to 5.8.1 or
later.

Credit:

secuholic (finder)
Venkatraman Kumar (r3dw0lfsec), Securin (finder)
Jarek Potiuk (remediation developer)

References:

https://github.com/apache/airflow/pull/67985
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-50203


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================