CVE-2026-50203: Apache Airflow SFTP provider: Path traversal in SFTPHook.retrieve_directory

June 17, 2026 (updated June 18, 2026)

A path traversal in the SFTP provider (SFTPHook.retrieve_directory / SFTPOperator(operation=get)) let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required — the attack surface is any deployment downloading directories from an untrusted SFTP server. Upgrade apache-airflow-providers-sftp to 5.8.1 or later.

References

github.com/advisories/GHSA-qf38-jq28-3ccq
github.com/apache/airflow/pull/67985
lists.apache.org/thread/7f4b284oh44c1n95oq8mh1qc7y1lr9dx
nvd.nist.gov/vuln/detail/CVE-2026-50203

Code Behaviors & Features

Detect and mitigate CVE-2026-50203 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →