CVE-2026-49297
Apache Software Foundation · Apache Airflow Google provider
A path traversal vulnerability in Apache Airflow's Google provider allows attackers to potentially write files to unauthorized locations due to insufficient sanitization of GCS object names.
Executive summary
A high-severity path traversal vulnerability in Apache Airflow’s Google provider could allow an attacker to write files outside of intended directories.
Vulnerability
The operators GCSToSFTPOperator and GCSTimeSpanFileTransformOperator fail to normalize or check GCS object names retrieved from the bucket listing API. This allows an attacker to influence the destination filesystem path, resulting in an improper limitation of a pathname to a restricted directory (path traversal).
Business impact
This vulnerability carries a CVSS score of 8.1, reflecting a high risk to system integrity. By exploiting path traversal, an attacker could potentially overwrite critical system files or configuration files, leading to unauthorized code execution or service disruption.
Remediation
Immediate Action: Update the Apache Airflow Google provider package to version 22.2.1 or later.
Proactive Monitoring: Audit logs for unusual file write operations or attempts to access directories outside of the designated storage paths.
Compensating Controls: Implement strict filesystem permissions for the service user running the Airflow operators to limit the scope of potential file system modifications.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Users of the Apache Airflow Google provider should prioritize upgrading to the patched version. Ensuring proper input validation for external API data is essential to preventing path traversal attacks in cloud-integrated workflows.