CVE-2026-58065

Apache Software Foundation · Apache Airflow Git provider

The Apache Airflow Git provider defaults to disabling SSH host-key verification, allowing man-in-the-middle attacks to intercept credentials or inject malicious repository content.

Executive summary

A high-severity vulnerability in the Apache Airflow Git provider allows unauthenticated attackers to perform man-in-the-middle attacks, potentially leading to total system compromise.

Vulnerability

This issue involves improper key exchange without entity authentication (CWE-322). Because the provider defaults to StrictHostKeyChecking=no, it fails to verify the identity of Git servers, allowing an unauthenticated attacker on the network path to impersonate the server and intercept SSH deploy keys or inject unauthorized code.

Business impact

Successful exploitation poses a severe threat to the integrity and confidentiality of the development pipeline. By impersonating the Git server, an attacker could capture sensitive deployment credentials or inject malicious code into the production environment. With a CVSS score of 8.1, this flaw represents a significant risk to the software supply chain and operational security.

Remediation

Immediate Action: Update the Apache Airflow Git provider to version 0.4.1 or later. Ensure that a valid known_hosts file is configured to enforce strict host-key verification.

Proactive Monitoring: Monitor network traffic between Airflow workers and Git servers for unauthorized connection attempts or unexpected SSH handshake patterns.

Compensating Controls: Restrict network access to Git servers to known, trusted worker IP addresses to minimize the opportunity for man-in-the-middle interception.

Exploitation status

Public Exploit Available: No (unknown)

Analyst recommendation

Organizations utilizing the Apache Airflow Git provider must prioritize this update immediately. The ability for an attacker to intercept communications without prior authentication makes this a critical supply chain risk that must be addressed by enforcing host-key validation through the provided patch.