PYSEC-2026-166

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow-providers-google/PYSEC-2026-166.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2026-166

Aliases

CVE-2026-45361

Published

2026-05-25T10:16:15.087Z

Modified

2026-05-28T12:00:04.639866123Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to apache-airflow-providers-google 22.0.0 or later.

References

Affected packages

PyPI / apache-airflow-providers-google

Package

Name: apache-airflow-providers-google; View open source insights on deps.dev
Purl: pkg:pypi/apache-airflow-providers-google

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

22.0.0

Affected versions

1.*

1.0.0b1

1.0.0b2

1.0.0rc1

1.0.0

2.*

2.0.0rc1

2.0.0

2.1.0rc1

2.1.0

2.2.0rc1

2.2.0

3.*

3.0.0rc1

3.0.0

4.*

4.0.0rc1

4.0.0rc2

4.0.0

4.1.0rc1

5.*

5.0.0rc2

5.0.0

5.1.0rc1

5.1.0

6.*

6.0.0rc1

6.0.0

6.1.0rc1

6.1.0

6.2.0rc1

6.2.0

6.3.0rc1

6.3.0

6.4.0rc1

6.4.0rc2

6.4.0rc3

6.4.0

6.5.0rc1

6.5.0

6.6.0rc1

6.6.0

6.7.0rc1

6.7.0

6.8.0rc1

6.8.0

7.*

7.0.0rc1

7.0.0

8.*

8.0.0rc1

8.0.0rc2

8.0.0

8.1.0rc1

8.1.0

8.2.0rc1

8.2.0

8.3.0rc1

8.3.0rc2

8.3.0rc3

8.3.0

8.4.0rc1

8.4.0rc2

8.4.0

8.5.0rc1

8.5.0

8.6.0rc2

8.6.0rc3

8.6.0

8.7.0rc1

8.7.0rc2

8.7.0

8.8.0rc1

8.8.0

8.9.0rc1

8.9.0

8.10.0rc1

8.10.0

8.11.0rc1

8.11.0

8.12.0rc1

8.12.0

9.*

9.0.0rc1

9.0.0rc2

9.0.0

10.*

10.0.0rc1

10.0.0

10.1.0rc1

10.1.0rc2

10.1.0

10.1.1rc1

10.1.1

10.2.0rc1

10.2.0

10.3.0rc1

10.3.0rc2

10.3.0

10.4.0rc1

10.4.0

10.5.0rc1

10.5.0

10.6.0rc1

10.6.0rc2

10.6.0rc3

10.6.0

10.7.0rc1

10.7.0

10.8.0rc1

10.8.0

10.9.0rc1

10.9.0

10.10.0rc1

10.10.0

10.10.1rc1

10.10.1

10.11.0rc1

10.11.0

10.11.1rc1

10.11.1

10.12.0rc1

10.12.0

10.13.0rc1

10.13.0rc2

10.13.0rc3

10.13.0

10.13.1rc1

10.13.1

10.14.0rc1

10.14.0rc2

10.14.0

10.15.0rc1

10.15.0

10.16.0rc1

10.16.0

10.17.0rc1

10.17.0

10.18.0rc1

10.18.0rc2

10.18.0

10.19.0rc1

10.19.0

10.20.0rc1

10.20.0

10.21.0rc1

10.21.0

10.21.1rc1

10.21.1rc2

10.21.1

10.22.0rc1

10.22.0

10.23.0rc1

10.23.0

10.24.0rc1

10.24.0

10.25.0rc1

10.25.0

10.26.0rc1

10.26.0

11.*

11.0.0rc1

11.0.0

12.*

12.0.0rc1

12.0.0rc2

12.0.0

13.*

13.0.0

14.*

14.0.0rc1

14.0.0

14.1.0rc1

14.1.0

15.*

15.0.0rc1

15.0.0

15.0.1rc1

15.0.1

15.1.0rc1

15.1.0

16.*

16.0.0rc1

16.0.0

16.1.0rc1

16.1.0

17.*

17.0.0rc1

17.0.0

17.1.0rc1

17.1.0

17.2.0rc1

17.2.0

18.*

18.0.0rc1

18.0.0

18.1.0rc1

18.1.0

19.*

19.0.0rc1

19.0.0

19.1.0rc1

19.1.0rc2

19.1.0

19.2.0rc1

19.2.0

19.3.0rc1

19.3.0

19.4.0rc1

19.4.0rc2

19.4.0

19.5.0rc1

19.5.0

20.*

20.0.0rc1

20.0.0rc2

20.0.0

21.*

21.0.0rc1

21.0.0rc2

21.0.0

21.1.0rc1

21.1.0

21.2.0rc1

21.2.0

21.3.0rc1

21.3.0

22.*

22.0.0rc1

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow-providers-google/PYSEC-2026-166.yaml"