CVE-2026-49297 in Airflow Google Providerinfo

Summary

by MITRE • 07/06/2026

Apache Airflow's Google provider operators `GCSToSFTPOperator` and `GCSTimeSpanFileTransformOperator` joined GCS object names returned by the bucket listing API directly to a destination filesystem path without normalisation or containment check. A user with write access to the source GCS bucket (typically a different trust principal than the DAG author — partner uploads, ingest-only service accounts, public-data buckets) could create an object whose name contains `..` segments and cause the DAG run to write the downloaded blob outside the configured destination (the SFTP `destination_path` for `GCSToSFTPOperator`; the worker-local temp directory for `GCSTimeSpanFileTransformOperator`), enabling overwrite of arbitrary files on the SFTP server or the worker host. Affects deployments that ingest from buckets writable by less-trusted principals. Users are advised to upgrade to `apache-airflow-providers-google` 22.2.1 or later.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/06/2026

The vulnerability in Apache Airflow's Google provider operators represents a critical path traversal flaw that enables malicious actors to manipulate file system operations through crafted GCS object names. This security issue affects two specific operators within the Google provider package: GCSToSFTPOperator and GCSTimeSpanFileTransformOperator. The fundamental problem lies in how these operators handle GCS object names during file transfer operations, where they directly concatenate bucket listing API responses to destination paths without proper validation or sanitization measures.

The technical implementation of this vulnerability stems from the lack of path normalization and containment checks when processing GCS object identifiers. When a user with write access to a source bucket creates an object name containing directory traversal sequences such as "..", these sequences are preserved and directly incorporated into the file system path construction. This behavior violates standard security principles for path handling and creates opportunities for arbitrary file system manipulation. The vulnerability is particularly dangerous because it leverages legitimate GCS operations while exploiting the trust relationship between the DAG author and the service account used for file transfers.

Operational impact of this vulnerability extends beyond simple file overwrites to encompass potential compromise of entire file systems and network infrastructure. For GCSToSFTPOperator, malicious actors can overwrite arbitrary files on remote SFTP servers by crafting object names that traverse the destination path structure. In the case of GCSTimeSpanFileTransformOperator, attackers can write files to the worker host's local temporary directory, potentially leading to privilege escalation or system compromise. The attack vector is particularly concerning in multi-tenant environments where different trust levels exist between data producers and DAG authors, as it allows less-trusted principals to affect operations typically restricted to trusted users.

This vulnerability aligns with CWE-23 (Relative Path Traversal) and CWE-73 (Path Traversal) categories within the Common Weakness Enumeration framework, demonstrating how improper input validation can lead to severe security consequences. The attack pattern maps to ATT&CK technique T1059.007 (Command and Scripting Interpreter: Python) and T1499.004 (Cryptocurrency Mining) through potential exploitation paths that could lead to system compromise. Organizations using Apache Airflow deployments that ingest data from buckets writable by less-trusted principals face significant risk exposure, as the vulnerability can be exploited without requiring elevated privileges or direct access to the Airflow environment itself.

Mitigation strategies should prioritize immediate upgrades to apache-airflow-providers-google version 22.2.1 or later, which implements proper path normalization and containment checks. Additional defensive measures include implementing strict object naming conventions for GCS buckets used in Airflow operations, configuring network segmentation between sensitive and less-trusted data sources, and establishing monitoring for unusual file system access patterns. Organizations should also consider implementing least-privilege principles for service account permissions, ensuring that write access to ingestion buckets does not automatically grant the ability to influence destination file system operations. Regular security auditing of Airflow DAG configurations and operator usage patterns can help identify and remediate similar vulnerabilities before they can be exploited in production environments.

Sources

Do you know our Splunk app?

Download it now for free!