CVE-2026-49486

The Apache Airflow FTP provider's FTPSHook.get conn() created an ftplib.FTP TLS connection but never called prot p(), so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using FTPSHook or FTPSFileTransmitOperator to move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to 3.15.1 or later, which issues PROT P to encrypt the data channel.