CVE Catalog

CVE-2026-49486

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

18th percentile — higher than 18% of all known CVEs

Summary

The Apache Airflow FTP provider's FTPS connection does not encrypt the data channel. Although the control channel is TLS-protected, data is transmitted in cleartext, allowing a network attacker to intercept file contents and credentials.

Risk Assessment

The organization risks exposure of sensitive data transmitted over FTPS, including file contents and credentials, which can be intercepted by an attacker on the local or intermediary network.

Recommendation

Immediately upgrade the apache-airflow-providers-ftp package to version 3.15.1 or later, which enables data channel encryption (PROT P) by default.

Original NVD description (English source)

The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using `FTPSHook` or `FTPSFileTransmitOperator` to move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to `3.15.1` or later, which issues `PROT P` to encrypt the data channel.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS