CVE-2026-49486 | The Apache Airflow FTP provider's `FTPSHook.get_conn()` crea… | CVSS 7.5 HIGH

Description

The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using `FTPSHook` or `FTPSFileTransmitOperator` to move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to `3.15.1` or later, which issues `PROT P` to encrypt the data channel.

Metadata

CVE ID: CVE-2026-49486
State: PUBLISHED
Assigner: apache
Reserved: 2026-05-31 01:40 UTC
Published: 2026-06-26 07:05 UTC
Last updated: 2026-06-26 18:36 UTC
Primary CWE: CWE-319
CWE-319: Cleartext Transmission of Sensitive Information
Vendor / Product: Apache Software Foundation / Apache Airflow FTP provider
Sources: cve.org · NVD

Severity & Metrics

7.5 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Apache Software Foundation	Apache Airflow FTP provider	—	0 < 3.15.1

Weakness (CWE)

CWE	Source	Description
CWE-319	cna	CWE-319: Cleartext Transmission of Sensitive Information

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.5	HIGH	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (2)