PYSEC-2026-238
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow-providers-ftp/PYSEC-2026-238.yaml
- JSON Data
- https://api.osv.dev/v1/vulns/PYSEC-2026-238
- Aliases
-
- CVE-2026-49486
- Published
- 2026-06-26T08:16:23.830Z
- Modified
- 2026-06-27T11:15:05.116183630Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
The Apache Airflow FTP provider's
FTPSHook.get_conn()created anftplib.FTP_TLSconnection but never calledprot_p(), so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment usingFTPSHookorFTPSFileTransmitOperatorto move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to3.15.1or later, which issuesPROT Pto encrypt the data channel. - References
Affected packages
PyPI / apache-airflow-providers-ftp
Package
- Name
- apache-airflow-providers-ftp
- View open source insights on deps.dev
- Purl
- pkg:pypi/apache-airflow-providers-ftp
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.15.1
Affected versions
1.*
1.0.0b1
1.0.0b2
1.0.0rc1
1.0.0
1.0.1rc1
1.0.1
1.1.0rc1
1.1.0
2.*
2.0.0rc1
2.0.0rc2
2.0.0
2.0.1rc1
2.0.1
2.1.0rc1
2.1.0
2.1.1rc1
2.1.1
2.1.2rc1
2.1.2
3.*
3.0.0rc1
3.0.0rc2
3.0.0
3.1.0rc1
3.1.0
3.2.0rc1
3.2.0
3.3.0rc1
3.3.0rc2
3.3.0
3.3.1rc1
3.3.1
3.4.0rc1
3.4.0rc2
3.4.0
3.4.1rc1
3.4.1
3.4.2rc1
3.4.2
3.5.0rc1
3.5.0
3.5.1rc1
3.5.1
3.5.2rc1
3.5.2
3.6.0rc1
3.6.0
3.6.1rc1
3.6.1
3.7.0rc1
3.7.0
3.8.0rc1
3.8.0rc2
3.8.0
3.9.0rc1
3.9.0
3.9.1rc1
3.9.1
3.10.0rc1
3.10.0
3.10.1rc1
3.10.1
3.11.0rc1
3.11.0
3.11.1rc1
3.11.1
3.12.0rc1
3.12.0rc2
3.12.0
3.12.1
3.12.2rc1
3.12.2
3.12.3rc1
3.12.3
3.13.0rc1
3.13.0
3.13.1rc1
3.13.1
3.13.2rc1
3.13.2
3.13.3rc1
3.13.3
3.14.0rc1
3.14.0
3.14.1rc1
3.14.1
3.14.2rc1
3.14.2
3.14.3rc1
3.14.3
3.15.0rc1
3.15.0
3.15.1rc1