PT-2026-57820 · Apache · Apache-Airflow-Providers-Git
Ephraim Anierobi
+1
·
Published
2026-07-13
·
Updated
2026-07-13
·
CVE-2026-58065
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
apache-airflow-providers-git versions prior to 0.4.1
Description
The Apache Airflow Git provider performs git-over-SSH operations with
StrictHostKeyChecking=no by default, which disables SSH host-key verification. This allows an attacker capable of intercepting the network path between an Airflow worker and the Git server to perform a man-in-the-middle attack. Such an attack could lead to the capture of the SSH deploy key or the injection of malicious repository content. This issue affects deployments utilizing the Git DAG bundle or Git provider to clone over SSH using a deploy key.Recommendations
Update to apache-airflow-providers-git version 0.4.1 or later and configure a
known hosts file.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache-Airflow-Providers-Git