PYSEC-2026-2084

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow-providers-google/PYSEC-2026-2084.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2084
Aliases
  • CVE-2026-49297
Published
2026-07-06T11:16:30.207Z
Modified
2026-07-09T12:00:05.746225220Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
Summary
[none]
Details

Apache Airflow's Google provider operators GCSToSFTPOperator and GCSTimeSpanFileTransformOperator joined GCS object names returned by the bucket listing API directly to a destination filesystem path without normalisation or containment check. A user with write access to the source GCS bucket (typically a different trust principal than the DAG author — partner uploads, ingest-only service accounts, public-data buckets) could create an object whose name contains .. segments and cause the DAG run to write the downloaded blob outside the configured destination (the SFTP destination_path for GCSToSFTPOperator; the worker-local temp directory for GCSTimeSpanFileTransformOperator), enabling overwrite of arbitrary files on the SFTP server or the worker host. Affects deployments that ingest from buckets writable by less-trusted principals. Users are advised to upgrade to apache-airflow-providers-google 22.2.1 or later.

References

Affected packages

PyPI / apache-airflow-providers-google

Package

Name
apache-airflow-providers-google
View open source insights on deps.dev
Purl
pkg:pypi/apache-airflow-providers-google

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
22.2.1

Affected versions

1.*
1.0.0b1
1.0.0b2
1.0.0rc1
1.0.0
2.*
2.0.0rc1
2.0.0
2.1.0rc1
2.1.0
2.2.0rc1
2.2.0
3.*
3.0.0rc1
3.0.0
4.*
4.0.0rc1
4.0.0rc2
4.0.0
4.1.0rc1
5.*
5.0.0rc2
5.0.0
5.1.0rc1
5.1.0
6.*
6.0.0rc1
6.0.0
6.1.0rc1
6.1.0
6.2.0rc1
6.2.0
6.3.0rc1
6.3.0
6.4.0rc1
6.4.0rc2
6.4.0rc3
6.4.0
6.5.0rc1
6.5.0
6.6.0rc1
6.6.0
6.7.0rc1
6.7.0
6.8.0rc1
6.8.0
7.*
7.0.0rc1
7.0.0
8.*
8.0.0rc1
8.0.0rc2
8.0.0
8.1.0rc1
8.1.0
8.2.0rc1
8.2.0
8.3.0rc1
8.3.0rc2
8.3.0rc3
8.3.0
8.4.0rc1
8.4.0rc2
8.4.0
8.5.0rc1
8.5.0
8.6.0rc2
8.6.0rc3
8.6.0
8.7.0rc1
8.7.0rc2
8.7.0
8.8.0rc1
8.8.0
8.9.0rc1
8.9.0
8.10.0rc1
8.10.0
8.11.0rc1
8.11.0
8.12.0rc1
8.12.0
9.*
9.0.0rc1
9.0.0rc2
9.0.0
10.*
10.0.0rc1
10.0.0
10.1.0rc1
10.1.0rc2
10.1.0
10.1.1rc1
10.1.1
10.2.0rc1
10.2.0
10.3.0rc1
10.3.0rc2
10.3.0
10.4.0rc1
10.4.0
10.5.0rc1
10.5.0
10.6.0rc1
10.6.0rc2
10.6.0rc3
10.6.0
10.7.0rc1
10.7.0
10.8.0rc1
10.8.0
10.9.0rc1
10.9.0
10.10.0rc1
10.10.0
10.10.1rc1
10.10.1
10.11.0rc1
10.11.0
10.11.1rc1
10.11.1
10.12.0rc1
10.12.0
10.13.0rc1
10.13.0rc2
10.13.0rc3
10.13.0
10.13.1rc1
10.13.1
10.14.0rc1
10.14.0rc2
10.14.0
10.15.0rc1
10.15.0
10.16.0rc1
10.16.0
10.17.0rc1
10.17.0
10.18.0rc1
10.18.0rc2
10.18.0
10.19.0rc1
10.19.0
10.20.0rc1
10.20.0
10.21.0rc1
10.21.0
10.21.1rc1
10.21.1rc2
10.21.1
10.22.0rc1
10.22.0
10.23.0rc1
10.23.0
10.24.0rc1
10.24.0
10.25.0rc1
10.25.0
10.26.0rc1
10.26.0
11.*
11.0.0rc1
11.0.0
12.*
12.0.0rc1
12.0.0rc2
12.0.0
13.*
13.0.0
14.*
14.0.0rc1
14.0.0
14.1.0rc1
14.1.0
15.*
15.0.0rc1
15.0.0
15.0.1rc1
15.0.1
15.1.0rc1
15.1.0
16.*
16.0.0rc1
16.0.0
16.1.0rc1
16.1.0
17.*
17.0.0rc1
17.0.0
17.1.0rc1
17.1.0
17.2.0rc1
17.2.0
18.*
18.0.0rc1
18.0.0
18.1.0rc1
18.1.0
19.*
19.0.0rc1
19.0.0
19.1.0rc1
19.1.0rc2
19.1.0
19.2.0rc1
19.2.0
19.3.0rc1
19.3.0
19.4.0rc1
19.4.0rc2
19.4.0
19.5.0rc1
19.5.0
20.*
20.0.0rc1
20.0.0rc2
20.0.0
21.*
21.0.0rc1
21.0.0rc2
21.0.0
21.1.0rc1
21.1.0
21.2.0rc1
21.2.0
21.3.0rc1
21.3.0
22.*
22.0.0rc1
22.0.0
22.1.0rc1
22.1.0
22.2.0rc1
22.2.0
22.2.1rc1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow-providers-google/PYSEC-2026-2084.yaml"