PYSEC-2026-1148

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow-providers-ftp/PYSEC-2026-1148.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1148
Aliases
Published
2026-07-07T11:45:39.923405Z
Modified
2026-07-07T17:46:27.151333223Z
Severity
  • 2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Improper Certificate Validation vulnerability in Apache Airflow FTP Provider
Details

Improper Certificate Validation vulnerability in Apache Airflow FTP Provider.

The FTP hook lacks complete certificate validation in FTPTLS connections, which can potentially be leveraged. Implementing proper certificate validation by passing context=ssl.createdefaultcontext() during FTPTLS instantiation is used as mitigation to validate the certificates properly.

This issue affects Apache Airflow FTP Provider: before 3.7.0.

Users are recommended to upgrade to version 3.7.0, which fixes the issue.

References

Affected packages

PyPI / apache-airflow-providers-ftp

Package

Name
apache-airflow-providers-ftp
View open source insights on deps.dev
Purl
pkg:pypi/apache-airflow-providers-ftp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.7.0

Affected versions

1.*
1.0.0b1
1.0.0b2
1.0.0rc1
1.0.0
1.0.1rc1
1.0.1
1.1.0rc1
1.1.0
2.*
2.0.0rc1
2.0.0rc2
2.0.0
2.0.1rc1
2.0.1
2.1.0rc1
2.1.0
2.1.1rc1
2.1.1
2.1.2rc1
2.1.2
3.*
3.0.0rc1
3.0.0rc2
3.0.0
3.1.0rc1
3.1.0
3.2.0rc1
3.2.0
3.3.0rc1
3.3.0rc2
3.3.0
3.3.1rc1
3.3.1
3.4.0rc1
3.4.0rc2
3.4.0
3.4.1rc1
3.4.1
3.4.2rc1
3.4.2
3.5.0rc1
3.5.0
3.5.1rc1
3.5.1
3.5.2rc1
3.5.2
3.6.0rc1
3.6.0
3.6.1rc1
3.6.1
3.7.0rc1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow-providers-ftp/PYSEC-2026-1148.yaml"