CVE-2026-45361

Summary

Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to apache-airflow-providers-google 22.0.0 or later.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Airflow Google provider0 < 22.0.0affected

Weaknesses

  • CWE-322: CWE-322: Key Exchange without Entity Authentication

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References