Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-58065: CWE-322: Key Exchange without Entity Authentication in Apache Software Foundation Apache Airflow Git provider

0
High
VulnerabilityCVE-2026-58065cvecve-2026-58065cwe-322
Published: 07/13/2026 (07/13/2026, 15:00:49 UTC)
Source: CVE Database V5
Vendor/Project: Apache Software Foundation
Product: Apache Airflow Git provider

Description

The Apache Airflow Git provider runs its git-over-SSH operations with `StrictHostKeyChecking=no` by default, disabling SSH host-key verification. An attacker who can intercept the network path between an Airflow worker and the Git server can impersonate the server (man-in-the-middle), capturing the SSH deploy key or injecting malicious repository content. Deployments that use the Git DAG bundle or Git provider to clone over SSH with a deploy key are affected. The fix changes the default to verify host keys; upgrade to apache-airflow-providers-git `0.4.1` or later and configure a `known_hosts` file.

Affected software

apache-airflow-providers-git
pkg:pypi/apache-airflow-providers-git
Affected versions
<0.4.1

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/13/2026, 15:47:48 UTC

Technical Analysis

The Apache Airflow Git provider runs git-over-SSH operations with StrictHostKeyChecking disabled by default, which disables SSH host-key verification. This design flaw (CWE-322) allows a man-in-the-middle attacker on the network path between an Airflow worker and the Git server to impersonate the server. Such an attacker could capture SSH deploy keys or inject malicious content into repositories cloned by Airflow. The vulnerability affects versions prior to 0.4.1. The fix involves changing the default behavior to verify host keys and requires upgrading to apache-airflow-providers-git 0.4.1 or later and configuring a known_hosts file.

Potential Impact

An attacker capable of intercepting network traffic between an Airflow worker and the Git server can impersonate the Git server, potentially capturing sensitive SSH deploy keys and injecting malicious code into repositories used by Airflow. This compromises the integrity and confidentiality of the deployment process that relies on the Git provider for cloning repositories over SSH.

Mitigation Recommendations

Upgrade the Apache Airflow Git provider to version 0.4.1 or later, which changes the default to verify SSH host keys. Additionally, configure a known_hosts file to enable proper SSH host-key verification. This remediation effectively mitigates the risk of man-in-the-middle attacks exploiting this vulnerability.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
apache
Date Reserved
2026-06-28T14:39:59.245Z
Cvss Version
null
State
PUBLISHED
Remediation Level
null

Threat ID: 6a55054468715ace4357fcba

Added to database: 07/13/2026, 15:33:24 UTC

Last enriched: 07/13/2026, 15:47:48 UTC

Last updated: 07/13/2026, 20:03:18 UTC

Views: 12

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses