Path Traversal in Apache Software Foundation Airflow Google Provider
CVE-2026-49297
Apache Airflow's Google provider operators `GCSToSFTPOperator` and `GCSTimeSpanFileTransformOperator` joined GCS object names returned by the bucket listing API directly to a destination filesystem path without normalisation or containment…
Vulnerability class: Path Traversal (Directory Traversal)
Affected products
- Apache Software Foundation Airflow Google Provider — versions 0
Weakness classification (CWE)
References
- security@apache.org (patch)
- security@apache.org (vendor-advisory)
- af854a3a-2127-422b-91ae-364da2661108