CVE-2026-50203
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk12th percentile — higher than 12% of all known CVEs
Summary
A path traversal vulnerability in the SFTP provider allows a malicious or compromised remote SFTP server to write files outside the configured local destination directory. No Airflow account is required, and the attack surface includes any deployment downloading directories from an untrusted SFTP server.
Risk Assessment
Organizations may be exposed to unauthorized access to file systems, potentially leading to data loss or the introduction of malware.
Recommendation
It is recommended to upgrade the `apache-airflow-providers-sftp` package to version 5.8.1 or later to mitigate this vulnerability.
Original NVD description (English source)
A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required — the attack surface is any deployment downloading directories from an untrusted SFTP server. Upgrade `apache-airflow-providers-sftp` to 5.8.1 or later.

