PT-2026-55920 · Apache · Apache Airflow Google Provider
Jarek Potiuk
·
Published
2026-07-06
·
Updated
2026-07-06
·
CVE-2026-49297
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Apache Airflow's Google provider operators
GCSToSFTPOperator and GCSTimeSpanFileTransformOperator joined GCS object names returned by the bucket listing API directly to a destination filesystem path without normalisation or containment check. A user with write access to the source GCS bucket (typically a different trust principal than the DAG author — partner uploads, ingest-only service accounts, public-data buckets) could create an object whose name contains .. segments and cause the DAG run to write the downloaded blob outside the configured destination (the SFTP destination path for GCSToSFTPOperator; the worker-local temp directory for GCSTimeSpanFileTransformOperator), enabling overwrite of arbitrary files on the SFTP server or the worker host. Affects deployments that ingest from buckets writable by less-trusted principals. Users are advised to upgrade to apache-airflow-providers-google 22.2.1 or later.Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Airflow Google Provider