CVE-2026-49486
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk18th percentile — higher than 18% of all known CVEs
Summary
The Apache Airflow FTP provider's FTPS connection does not encrypt the data channel. Although the control channel is TLS-protected, data is transmitted in cleartext, allowing a network attacker to intercept file contents and credentials.
Risk Assessment
The organization risks exposure of sensitive data transmitted over FTPS, including file contents and credentials, which can be intercepted by an attacker on the local or intermediary network.
Recommendation
Immediately upgrade the apache-airflow-providers-ftp package to version 3.15.1 or later, which enables data channel encryption (PROT P) by default.
Original NVD description (English source)
The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using `FTPSHook` or `FTPSFileTransmitOperator` to move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to `3.15.1` or later, which issues `PROT P` to encrypt the data channel.

