Skip to main content

Apache Airflow Ftp Provider

1 CVEs product

Monthly

CVE-2026-49486 PyPI HIGH PATCH This Week

Cleartext data-channel exposure in the Apache Airflow FTP provider (apache-airflow-providers-ftp before 3.15.1) lets a network attacker positioned on the data path read file contents and credentials moved over FTPS. The FTPSHook.get_conn() method established an ftplib.FTP_TLS control connection but never issued PROT P, so payloads transferred via FTPSHook or FTPSFileTransmitOperator traveled in plaintext despite the TLS-protected control channel. There is no public exploit identified at time of analysis, EPSS is very low (0.10%, 1st percentile), and it is not on CISA KEV.

Apache Information Disclosure Apache Airflow Ftp Provider
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cleartext data-channel exposure in the Apache Airflow FTP provider (apache-airflow-providers-ftp before 3.15.1) lets a network attacker positioned on the data path read file contents and credentials moved over FTPS. The FTPSHook.get_conn() method established an ftplib.FTP_TLS control connection but never issued PROT P, so payloads transferred via FTPSHook or FTPSFileTransmitOperator traveled in plaintext despite the TLS-protected control channel. There is no public exploit identified at time of analysis, EPSS is very low (0.10%, 1st percentile), and it is not on CISA KEV.

Apache Information Disclosure Apache Airflow Ftp Provider
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy