PT-2026-55920 · Apache · Apache Airflow Google Provider

Jarek Potiuk

·

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-49297

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Apache Airflow's Google provider operators GCSToSFTPOperator and GCSTimeSpanFileTransformOperator joined GCS object names returned by the bucket listing API directly to a destination filesystem path without normalisation or containment check. A user with write access to the source GCS bucket (typically a different trust principal than the DAG author — partner uploads, ingest-only service accounts, public-data buckets) could create an object whose name contains .. segments and cause the DAG run to write the downloaded blob outside the configured destination (the SFTP destination path for GCSToSFTPOperator; the worker-local temp directory for GCSTimeSpanFileTransformOperator), enabling overwrite of arbitrary files on the SFTP server or the worker host. Affects deployments that ingest from buckets writable by less-trusted principals. Users are advised to upgrade to apache-airflow-providers-google 22.2.1 or later.

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-49297

Affected Products

Apache Airflow Google Provider