CVE-2026-50203: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Apache Software Foundation Apache Airflow SFTP provider
CVE-2026-50203 is a path traversal vulnerability in the Apache Airflow SFTP provider affecting the SFTPHook.retrieve_directory and SFTPOperator with the get operation. This flaw allows a malicious or compromised remote SFTP server to write files outside the intended local destination directory by using crafted directory-entry names. No Airflow account is required to exploit this vulnerability, making any deployment that downloads directories from an untrusted SFTP server potentially vulnerable. The issue is fixed in version 5.8.1 of the apache-airflow-providers-sftp package.
AI Analysis
Technical Summary
The vulnerability in Apache Airflow SFTP provider (CVE-2026-50203) involves improper limitation of a pathname to a restricted directory (CWE-22). Specifically, the SFTPHook.retrieve_directory and SFTPOperator (operation=get) do not properly sanitize directory-entry names received from a remote SFTP server. This allows a malicious or compromised SFTP server to perform path traversal attacks, writing files outside the configured local destination directory. Exploitation requires no authentication to Airflow itself, only interaction with an untrusted SFTP server. The vulnerability affects versions of apache-airflow-providers-sftp prior to 5.8.1.
Potential Impact
An attacker controlling or compromising a remote SFTP server can cause files to be written outside the intended local directory on the Airflow deployment. This could lead to arbitrary file overwrite or creation, potentially impacting system integrity or causing denial of service. Since no Airflow account is required, the attack surface includes any deployment that downloads directories from untrusted SFTP servers.
Mitigation Recommendations
Upgrade the apache-airflow-providers-sftp package to version 5.8.1 or later, where this path traversal vulnerability is fixed. There is no indication of alternative mitigations or temporary fixes. Patch status is confirmed by the vendor advisory stating the fix is in 5.8.1.
CVE-2026-50203: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Apache Software Foundation Apache Airflow SFTP provider
Description
CVE-2026-50203 is a path traversal vulnerability in the Apache Airflow SFTP provider affecting the SFTPHook.retrieve_directory and SFTPOperator with the get operation. This flaw allows a malicious or compromised remote SFTP server to write files outside the intended local destination directory by using crafted directory-entry names. No Airflow account is required to exploit this vulnerability, making any deployment that downloads directories from an untrusted SFTP server potentially vulnerable. The issue is fixed in version 5.8.1 of the apache-airflow-providers-sftp package.
Affected software
pkg:pypi/apache-airflow-providers-sftpRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Apache Airflow SFTP provider (CVE-2026-50203) involves improper limitation of a pathname to a restricted directory (CWE-22). Specifically, the SFTPHook.retrieve_directory and SFTPOperator (operation=get) do not properly sanitize directory-entry names received from a remote SFTP server. This allows a malicious or compromised SFTP server to perform path traversal attacks, writing files outside the configured local destination directory. Exploitation requires no authentication to Airflow itself, only interaction with an untrusted SFTP server. The vulnerability affects versions of apache-airflow-providers-sftp prior to 5.8.1.
Potential Impact
An attacker controlling or compromising a remote SFTP server can cause files to be written outside the intended local directory on the Airflow deployment. This could lead to arbitrary file overwrite or creation, potentially impacting system integrity or causing denial of service. Since no Airflow account is required, the attack surface includes any deployment that downloads directories from untrusted SFTP servers.
Mitigation Recommendations
Upgrade the apache-airflow-providers-sftp package to version 5.8.1 or later, where this path traversal vulnerability is fixed. There is no indication of alternative mitigations or temporary fixes. Patch status is confirmed by the vendor advisory stating the fix is in 5.8.1.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-06-04T00:05:50.170Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a31ffcc0b89be68889b027e
Added to database: 6/17/2026, 2:00:44 AM
Last enriched: 6/17/2026, 2:15:08 AM
Last updated: 6/17/2026, 5:03:37 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.