Path Traversal in Apache Software Foundation Airflow Google Provider

CVE-2026-49297

Apache Airflow's Google provider operators `GCSToSFTPOperator` and `GCSTimeSpanFileTransformOperator` joined GCS object names returned by the bucket listing API directly to a destination filesystem path without normalisation or containment…

Vulnerability class: Path Traversal (Directory Traversal)

Affected products

Weakness classification (CWE)

References