Home

Description

The Apache Airflow Git provider runs its git-over-SSH operations with `StrictHostKeyChecking=no` by default, disabling SSH host-key verification. An attacker who can intercept the network path between an Airflow worker and the Git server can impersonate the server (man-in-the-middle), capturing the SSH deploy key or injecting malicious repository content. Deployments that use the Git DAG bundle or Git provider to clone over SSH with a deploy key are affected. The fix changes the default to verify host keys; upgrade to apache-airflow-providers-git `0.4.1` or later and configure a `known_hosts` file.

PUBLISHED Reserved 2026-06-28 | Published 2026-07-13 | Updated 2026-07-13 | Assigner apache

Problem types

CWE-322: Key Exchange without Entity Authentication

Product status

Default status
unaffected

Any version before 0.4.1
affected

Credits

Siyang Wu (independent researcher) finder

Ephraim Anierobi remediation developer

References

github.com/apache/airflow/pull/69103 patch

lists.apache.org/thread/fjmclngfksz2kp7llpcjxzdz568h0zhc vendor-advisory

cve.org (CVE-2026-58065)

nvd.nist.gov (CVE-2026-58065)

Download JSON