Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attacker needs an on-path or passive position to observe the data channel, so AC:H; confidentiality-only impact (files and credentials), with no integrity or availability effect.
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
6Blast Radius
ecosystem impact- 106 pypi packages depend on apache-airflow-providers-ftp (1 direct, 105 indirect)
Ecosystem-wide dependent count for version 3.15.1.
DescriptionCVE.org
The Apache Airflow FTP provider's FTPSHook.get_conn() created an ftplib.FTP_TLS connection but never called prot_p(), so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using FTPSHook or FTPSFileTransmitOperator to move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to 3.15.1 or later, which issues PROT P to encrypt the data channel.
Articles & Coverage 1
AnalysisAI
Cleartext data-channel exposure in the Apache Airflow FTP provider (apache-airflow-providers-ftp before 3.15.1) lets a network attacker positioned on the data path read file contents and credentials moved over FTPS. The FTPSHook.get_conn() method established an ftplib.FTP_TLS control connection but never issued PROT P, so payloads transferred via FTPSHook or FTPSFileTransmitOperator traveled in plaintext despite the TLS-protected control channel. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) a deployment running apache-airflow-providers-ftp before 3.15.1 that actually uses FTPSHook or FTPSFileTransmitOperator to move files over FTPS, and (2) an attacker able to observe the data connection - passive sniffing or an on-path/MITM position on the network route between the Airflow worker and the FTPS server. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals point to a genuine but situational confidentiality risk rather than an urgent priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a passive tap or man-in-the-middle position on the network segment between an Airflow worker and its FTPS server captures the data connection while a DAG runs an FTPSFileTransmitOperator task. Because PROT P was never issued, the file payloads and any credentials carried in the transfer are recorded in cleartext. … |
| Remediation | Vendor-released patch: 3.15.1 - upgrade apache-airflow-providers-ftp to 3.15.1 or later, which issues PROT P to encrypt the data channel (fix in https://github.com/apache/airflow/pull/67946 ; advisory https://lists.apache.org/thread/gwnsxlt9hfj5pc543wxtogbnjdn04xj1 ). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Scan environment for apache-airflow-providers-ftp installations; identify all systems running versions before 3.15.1 using package inventory tools. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39627
GHSA-fgch-86x8-fv43