https://cvealert.net/products/apache-airflow-providers-sftp/Recent content in Apache-Airflow-Providers-Sftp on CVE Alert & Security FeedHugoen-usWed, 17 Jun 2026 13:20:47 +0000https://cvealert.net/posts/cve-2026-50203/Wed, 17 Jun 2026 13:20:47 +0000https://cvealert.net/posts/cve-2026-50203/A path traversal in the SFTP provider (<code>SFTPHook.retrieve_directory</code> / <code>SFTPOperator(operation=get)</code>) let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required — the attack surface is any deployment downloading directories from an untrusted SFTP server. Upgrade <code>apache-airflow-providers-sftp</code> to 5.8.1 or later.