CVE-2026-45361: CWE-322: (Key Exchange without Entity Authentication) in Apache Software Foundation Apache Airflow Google provider
Apache Airflow Google provider's ComputeEngineSSHHook disables SSH host-key verification by default, which allows in-path attackers to intercept or modify SSH traffic between an Airflow worker and a Compute Engine VM. This vulnerability is identified as CWE-322 (Key Exchange without Entity Authentication). Users are advised to upgrade to version 22. 0. 0 or later of the apache-airflow-providers-google package to address this issue. No official patch or remediation level is explicitly stated in the advisory, and no known exploits are reported in the wild.
AI Analysis
Technical Summary
The vulnerability CVE-2026-45361 affects the Apache Airflow Google provider, specifically the ComputeEngineSSHHook component. By default, this hook disables SSH host-key verification, leading to a lack of entity authentication during SSH key exchange. This weakness allows an attacker positioned in the network path to intercept or modify SSH sessions between Airflow workers and Google Compute Engine virtual machines. The issue is categorized under CWE-322. The vendor recommends upgrading to apache-airflow-providers-google version 22.0.0 or later to mitigate this risk.
Potential Impact
The impact of this vulnerability is the potential interception or modification of SSH traffic between Airflow workers and Compute Engine VMs by in-path attackers due to disabled SSH host-key verification. This could lead to unauthorized access or manipulation of data transmitted over the SSH session. However, there are no known exploits in the wild at this time.
Mitigation Recommendations
Users should upgrade to apache-airflow-providers-google version 22.0.0 or later, where SSH host-key verification is presumably enabled or properly handled. Patch status is not explicitly confirmed beyond this upgrade recommendation; therefore, users should consult the vendor advisory for the latest remediation guidance.
CVE-2026-45361: CWE-322: (Key Exchange without Entity Authentication) in Apache Software Foundation Apache Airflow Google provider
Description
Apache Airflow Google provider's ComputeEngineSSHHook disables SSH host-key verification by default, which allows in-path attackers to intercept or modify SSH traffic between an Airflow worker and a Compute Engine VM. This vulnerability is identified as CWE-322 (Key Exchange without Entity Authentication). Users are advised to upgrade to version 22. 0. 0 or later of the apache-airflow-providers-google package to address this issue. No official patch or remediation level is explicitly stated in the advisory, and no known exploits are reported in the wild.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-45361 affects the Apache Airflow Google provider, specifically the ComputeEngineSSHHook component. By default, this hook disables SSH host-key verification, leading to a lack of entity authentication during SSH key exchange. This weakness allows an attacker positioned in the network path to intercept or modify SSH sessions between Airflow workers and Google Compute Engine virtual machines. The issue is categorized under CWE-322. The vendor recommends upgrading to apache-airflow-providers-google version 22.0.0 or later to mitigate this risk.
Potential Impact
The impact of this vulnerability is the potential interception or modification of SSH traffic between Airflow workers and Compute Engine VMs by in-path attackers due to disabled SSH host-key verification. This could lead to unauthorized access or manipulation of data transmitted over the SSH session. However, there are no known exploits in the wild at this time.
Mitigation Recommendations
Users should upgrade to apache-airflow-providers-google version 22.0.0 or later, where SSH host-key verification is presumably enabled or properly handled. Patch status is not explicitly confirmed beyond this upgrade recommendation; therefore, users should consult the vendor advisory for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-05-11T23:58:59.829Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a141902a5ae1af1aa7fdd80
Added to database: 5/25/2026, 9:40:18 AM
Last enriched: 5/25/2026, 9:55:37 AM
Last updated: 5/25/2026, 11:48:28 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.