CVE-2026-50203
Awaiting Analysis Awaiting Analysis - Queue
Path Traversal in Apache Airflow SFTP Provider

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Apache Software Foundation

Description
A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required β€” the attack surface is any deployment downloading directories from an untrusted SFTP server. Upgrade `apache-airflow-providers-sftp` to 5.8.1 or later.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-50203
EUVD
EUVD-2026-37520
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache apache-airflow-providers-sftp From 5.8.1 (inc)
apache apache_airflow_providers_sftp 5.8.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-50203 is a path traversal vulnerability in the Apache Airflow SFTP provider, specifically in the SFTPHook.retrieve_directory method and SFTPOperator(operation=get).

This vulnerability allows a malicious or compromised remote SFTP server to write files outside the configured local destination directory by using crafted directory-entry names containing path traversal components like "..".

No Airflow account is required to exploit this issue, so any deployment that downloads directories from an untrusted SFTP server is vulnerable.

The issue was fixed by adding a containment check to ensure that files are only written within the intended destination directory.

Impact Analysis

This vulnerability can allow a malicious or compromised remote SFTP server to write files outside the intended local directory on your system.

Such unauthorized file writes can lead to overwriting or creating files in sensitive locations, potentially causing data corruption, unauthorized code execution, or system compromise.

Since no Airflow account is required, any deployment that downloads directories from an untrusted SFTP server is at risk, increasing the attack surface.

To mitigate this risk, upgrading the apache-airflow-providers-sftp package to version 5.8.1 or later is recommended.

Detection Guidance

This vulnerability involves a path traversal in the SFTP provider where crafted directory-entry names from a remote SFTP server can cause files to be written outside the intended local destination directory.

Detection would involve monitoring or inspecting SFTP download operations for unexpected file writes outside the configured destination directory.

Specifically, you can check for files created or modified outside the expected directory after SFTP downloads.

  • Use filesystem monitoring tools (e.g., inotifywait on Linux) to watch for file creation events outside the intended directory during SFTP operations.
  • Manually inspect downloaded directory contents for suspicious filenames containing path traversal components like "..".
  • Example command to find files modified recently outside the expected directory (replace /expected/destination with your path):
  • find / -type f -newermt '2026-06-17' ! -path '/expected/destination/*' -ls
  • Review Airflow logs for SFTP download operations to identify any anomalies or errors related to file paths.
Mitigation Strategies

The primary and recommended mitigation is to upgrade the apache-airflow-providers-sftp package to version 5.8.1 or later.

This update includes a fix that validates each computed local path to ensure it remains within the configured destination directory, preventing path traversal.

Additionally, avoid downloading directories from untrusted or compromised remote SFTP servers until the upgrade is applied.

If immediate upgrade is not possible, consider restricting or monitoring SFTP downloads carefully to detect suspicious file writes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50203. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart