Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <12869722-1c2d-8c2f-fdfe-3fb31fb40c81@apache.org>
Date: Mon, 13 Jul 2026 14:17:24 +0000
From: Vincent Beck <vincbeck@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-58065: Apache Airflow Git provider: Git provider hook
 defaults to StrictHostKeyChecking=no, disabling SSH host-key verification 

Severity: moderate 

Affected versions:

- Apache Airflow Git provider (apache-airflow-providers-git) before 0.4.1

Description:

The Apache Airflow Git provider runs its git-over-SSH operations with `StrictHostKeyChecking=no` by default, disabling SSH host-key verification. An attacker who can intercept the network path between an Airflow worker and the Git server can impersonate the server (man-in-the-middle), capturing the SSH deploy key or injecting malicious repository content. Deployments that use the Git DAG bundle or Git provider to clone over SSH with a deploy key are affected. The fix changes the default to verify host keys; upgrade to apache-airflow-providers-git `0.4.1` or later and configure a `known_hosts` file.

Credit:

Siyang Wu (independent researcher) (finder)
Ephraim Anierobi (remediation developer)

References:

https://github.com/apache/airflow/pull/69103
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-58065

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.