PT-2026-57820 · Apache · Apache-Airflow-Providers-Git

Ephraim Anierobi

+1

·

Published

2026-07-13

·

Updated

2026-07-13

·

CVE-2026-58065

CVSS v3.1

8.1

High

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions apache-airflow-providers-git versions prior to 0.4.1
Description The Apache Airflow Git provider performs git-over-SSH operations with StrictHostKeyChecking=no by default, which disables SSH host-key verification. This allows an attacker capable of intercepting the network path between an Airflow worker and the Git server to perform a man-in-the-middle attack. Such an attack could lead to the capture of the SSH deploy key or the injection of malicious repository content. This issue affects deployments utilizing the Git DAG bundle or Git provider to clone over SSH using a deploy key.
Recommendations Update to apache-airflow-providers-git version 0.4.1 or later and configure a known hosts file.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58065

Affected Products

Apache-Airflow-Providers-Git