Skip to main content

Airflow FTP Provider EUVDEUVD-2026-39627

| CVE-2026-49486 HIGH
Cleartext Transmission of Sensitive Information (CWE-319)
2026-06-26 apache GHSA-fgch-86x8-fv43
7.5
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
7.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.9 MEDIUM

Attacker needs an on-path or passive position to observe the data channel, so AC:H; confidentiality-only impact (files and credentials), with no integrity or availability effect.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Analysis Updated
Jun 26, 2026 - 16:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 26, 2026 - 16:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 26, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
Jun 26, 2026 - 16:22 NVD
7.5 (HIGH)
Source Code Evidence Fetched
Jun 26, 2026 - 08:15 vuln.today
Analysis Generated
Jun 26, 2026 - 08:15 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 106 pypi packages depend on apache-airflow-providers-ftp (1 direct, 105 indirect)

Ecosystem-wide dependent count for version 3.15.1.

DescriptionCVE.org

The Apache Airflow FTP provider's FTPSHook.get_conn() created an ftplib.FTP_TLS connection but never called prot_p(), so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using FTPSHook or FTPSFileTransmitOperator to move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to 3.15.1 or later, which issues PROT P to encrypt the data channel.

AnalysisAI

Cleartext data-channel exposure in the Apache Airflow FTP provider (apache-airflow-providers-ftp before 3.15.1) lets a network attacker positioned on the data path read file contents and credentials moved over FTPS. The FTPSHook.get_conn() method established an ftplib.FTP_TLS control connection but never issued PROT P, so payloads transferred via FTPSHook or FTPSFileTransmitOperator traveled in plaintext despite the TLS-protected control channel. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain on-path or passive network position
Exploit
Observe FTPS data connection during transfer
Execution
Capture cleartext file payloads
Impact
Harvest exposed data and credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a deployment running apache-airflow-providers-ftp before 3.15.1 that actually uses FTPSHook or FTPSFileTransmitOperator to move files over FTPS, and (2) an attacker able to observe the data connection - passive sniffing or an on-path/MITM position on the network route between the Airflow worker and the FTPS server. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals point to a genuine but situational confidentiality risk rather than an urgent priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a passive tap or man-in-the-middle position on the network segment between an Airflow worker and its FTPS server captures the data connection while a DAG runs an FTPSFileTransmitOperator task. Because PROT P was never issued, the file payloads and any credentials carried in the transfer are recorded in cleartext. …
Remediation Vendor-released patch: 3.15.1 - upgrade apache-airflow-providers-ftp to 3.15.1 or later, which issues PROT P to encrypt the data channel (fix in https://github.com/apache/airflow/pull/67946 ; advisory https://lists.apache.org/thread/gwnsxlt9hfj5pc543wxtogbnjdn04xj1 ). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Scan environment for apache-airflow-providers-ftp installations; identify all systems running versions before 3.15.1 using package inventory tools. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39627 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy