CVE-2026-49486: CWE-319: Cleartext Transmission of Sensitive Information in Apache Software Foundation Apache Airflow FTP provider
The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using `FTPSHook` or `FTPSFileTransmitOperator` to move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to `3.15.1` or later, which issues `PROT P` to encrypt the data channel.
AI Analysis
Technical Summary
The Apache Airflow FTP provider's FTPSHook.get_conn() method creates an ftplib.FTP_TLS connection but fails to call the prot_p() method. As a result, while the control channel is TLS-protected, the data channel remains unencrypted and is transmitted in cleartext. This vulnerability (CWE-319) allows an attacker with network access to intercept sensitive file contents and credentials during FTPS file transfers. The issue affects all versions of apache-airflow-providers-ftp prior to 3.15.1. The fix in version 3.15.1 adds the missing PROT P command to encrypt the data channel.
Potential Impact
File contents and credentials transmitted over FTPS using the vulnerable Apache Airflow FTP provider are exposed in cleartext on the data channel. This allows network attackers to intercept sensitive information during file transfers. The control channel remains encrypted, but the lack of data channel encryption compromises confidentiality of transferred data.
Mitigation Recommendations
Upgrade apache-airflow-providers-ftp to version 3.15.1 or later, which issues the PROT P command to encrypt the FTPS data channel. This official fix ensures that both control and data channels are protected by TLS. No other mitigations are indicated by the vendor advisory.
CVE-2026-49486: CWE-319: Cleartext Transmission of Sensitive Information in Apache Software Foundation Apache Airflow FTP provider
Description
The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using `FTPSHook` or `FTPSFileTransmitOperator` to move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to `3.15.1` or later, which issues `PROT P` to encrypt the data channel.
Affected software
pkg:pypi/apache-airflow-providers-ftpRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Apache Airflow FTP provider's FTPSHook.get_conn() method creates an ftplib.FTP_TLS connection but fails to call the prot_p() method. As a result, while the control channel is TLS-protected, the data channel remains unencrypted and is transmitted in cleartext. This vulnerability (CWE-319) allows an attacker with network access to intercept sensitive file contents and credentials during FTPS file transfers. The issue affects all versions of apache-airflow-providers-ftp prior to 3.15.1. The fix in version 3.15.1 adds the missing PROT P command to encrypt the data channel.
Potential Impact
File contents and credentials transmitted over FTPS using the vulnerable Apache Airflow FTP provider are exposed in cleartext on the data channel. This allows network attackers to intercept sensitive information during file transfers. The control channel remains encrypted, but the lack of data channel encryption compromises confidentiality of transferred data.
Mitigation Recommendations
Upgrade apache-airflow-providers-ftp to version 3.15.1 or later, which issues the PROT P command to encrypt the FTPS data channel. This official fix ensures that both control and data channels are protected by TLS. No other mitigations are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-05-31T01:40:24.353Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3e2e3e4853345fc17628c9
Added to database: 06/26/2026, 07:46:06 UTC
Last enriched: 06/26/2026, 08:01:56 UTC
Last updated: 06/26/2026, 12:22:08 UTC
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.