Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to apache-airflow-providers-google 22.0.0 or later.
AnalysisAI
Man-in-the-middle exposure in Apache Airflow's apache-airflow-providers-google package (versions prior to 22.0.0) stems from the ComputeEngineSSHHook shipping with paramiko.AutoAddPolicy as its default missing-host-key policy, silently trusting any SSH host key presented by a Compute Engine VM. An in-path network attacker positioned between the Airflow worker and the GCE instance can intercept or tamper with the SSH session, exposing credentials, DAG-driven commands, and transferred data. No public exploit identified at time of analysis and EPSS is very low (0.02%), but technical impact is rated total by SSVC.
Technical ContextAI
The affected component is the ComputeEngineSSHHook in providers/google/src/airflow/providers/google/cloud/hooks/compute_ssh.py, which wraps paramiko's SSHClient to connect Airflow workers to Google Compute Engine VMs over SSH. The pre-fix code unconditionally called client.set_missing_host_key_policy(paramiko.AutoAddPolicy()), meaning the client accepted and recorded any host key presented during the first connection without verifying it against a known_hosts file or out-of-band source. This is a textbook CWE-322 (Key Exchange without Entity Authentication) issue: the SSH handshake completes a Diffie-Hellman key exchange but never authenticates the server identity, so a network adversary who can redirect traffic (BGP hijack, ARP/DNS spoofing on a shared network segment, compromised GCP networking path) can present their own host key and act as a transparent proxy. The CPE cpe:2.3:a:apache_software_foundation:apache_airflow_google_provider:* covers all versions prior to the fix.
RemediationAI
Vendor-released patch: upgrade apache-airflow-providers-google to 22.0.0 or later (fix landed via apache/airflow PR #66746, https://github.com/apache/airflow/pull/66746). Note that 22.0.0 introduces a new host_key_policy constructor argument but preserves the historical "auto_add" default for backward compatibility, so upgrading alone does NOT close the MitM gap - operators must explicitly construct ComputeEngineSSHHook (or configure connections) with host_key_policy="reject" and a populated known_hosts file, or pass a custom paramiko.MissingHostKeyPolicy (for example, one that loads pinned host keys from GCE guest attributes). If upgrade is delayed, compensating controls include constraining Airflow-to-GCE SSH traffic to private VPC paths with no third-party transit (eliminating the in-path attacker position), enforcing IAP TCP forwarding for SSH so Google-managed identity gates the path, and using short-lived OS Login keys; trade-off is operational complexity and that IAP/VPC restrictions still trust the GCP control plane rather than cryptographically authenticating the host key.
Same weakness CWE-322 – Key Exchange without Entity Authentication
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31659
GHSA-g9v5-gjwf-9rwx