Back to overview

CVE-2026-58065

Description
The Apache Airflow Git provider runs its git-over-SSH operations with `StrictHostKeyChecking=no` by default, disabling SSH host-key verification. An attacker who can intercept the network path between an Airflow worker and the Git server can impersonate the server (man-in-the-middle), capturing the SSH deploy key or injecting malicious repository content. Deployments that use the Git DAG bundle or Git provider to clone over SSH with a deploy key are affected. The fix changes the default to verify host keys; upgrade to apache-airflow-providers-git `0.4.1` or later and configure a `known_hosts` file.

Metadata

CVE ID
CVE-2026-58065
State
PUBLISHED
Assigner
apache
Reserved
2026-06-28 14:39 UTC
Published
2026-07-13 15:00 UTC
Last updated
2026-07-13 19:30 UTC
Primary CWE
CWE-322
CWE-322: Key Exchange without Entity Authentication
Vendor / Product
Apache Software Foundation / Apache Airflow Git provider
Sources
cve.org  ·  NVD

Severity & Metrics

No CVSS data available.

Affected products (1)
VendorProductPlatformVersions
Apache Software Foundation Apache Airflow Git provider 0 < 0.4.1
Weakness (CWE)
CWESourceDescription
CWE-322 cna CWE-322: Key Exchange without Entity Authentication
Back to overview