Primary

Context

Apache Airflow Google Provider ComputeEngineSSHHook SSH Host Key Verification Disabled Vulnerability

Vulnerability

Patched

A vulnerability exists in the Apache Airflow Google provider's ComputeEngineSSHHook, which disables SSH host-key verification by default. This flaw exposes SSH traffic between an Airflow worker and a Google Compute Engine VM to potential interception or modification by in-path network attackers. The issue affects versions of the Apache Airflow Google provider prior to 22.0.0.

Impact

Exploitation of this vulnerability allows for interception or modification of SSH sessions between Airflow workers and Compute Engine VMs, potentially leading to unauthorized access or manipulation of data.

Remediation

Users are advised to upgrade to apache-airflow-providers-google version 22.0.0 or later.

Added: May 26, 2026, 8:00 PM

Updated: May 26, 2026, 8:00 PM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

5.0

exploitability

5.9

remediation

7.7

relevance

9.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

5.0

exploitability

5.9

remediation

7.7

relevance

9.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Airflow Google Provider ComputeEngineSSHHook SSH Host Key Verification Disabled Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Apache Airflow Google provider

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating