PT-2026-43023 · Apache Airflow · Apache Airflow Google Provider
Jarek Potiuk
·
Published
2026-05-25
·
Updated
2026-05-27
·
CVE-2026-45361
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
apache-airflow-providers-google versions prior to 22.0.0
Description
The
ComputeEngineSSHHook disables SSH host-key verification by default. This configuration exposes SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers, who may intercept or modify the session.Recommendations
Update to version 22.0.0 or later.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Airflow Google Provider