PT-2026-50220 · Apache · Apache Airflow Ftp Provider

Jarek Potiuk

Published

2026-06-17

Updated

2026-06-17

CVE-2026-50203

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

A path traversal in the SFTP provider (SFTPHook.retrieve directory / SFTPOperator(operation=get)) let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required — the attack surface is any deployment downloading directories from an untrusted SFTP server. Upgrade apache-airflow-providers-sftp to 5.8.1 or later.

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2026-50203

Affected Products

Apache Airflow Ftp Provider

PT-2026-50220 · Apache · Apache Airflow Ftp Provider

CVE-2026-50203

Weakness Enumeration

Related Identifiers

Affected Products

References · 3