Zero Day MonitorZDM

← Back to list

7.5

CVE-2026-49486EXPLOITEDPATCHED

apache · apache-airflow-providers-ftp

Apache Airflow FTP provider: FTP Provider does not protect FTPS data channel (missing PROT_P)

Description

The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using `FTPSHook` or `FTPSFileTransmitOperator` to move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to `3.15.1` or later, which issues `PROT P` to encrypt the data channel.

Affected Products

Vendor	Product	Versions
apache	apache-airflow-providers-ftp	0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
apache	airflow	cert_advisory	90%

References

https://github.com/apache/airflow/pull/67946(patch)
https://lists.apache.org/thread/gwnsxlt9hfj5pc543wxtogbnjdn04xj1(vendor-advisory)

Related News (3 articles)

Tier C

oss-security1d ago

CVE-2026-49486: Apache Airflow FTP provider: FTP Provider does not protect FTPS data channel (missing PROT_P)

→ No new info (linked only)

Tier B

BSI Advisories1d ago

[NEU] [mittel] Apache Airflow FTP Provider: Schwachstelle ermöglicht Offenlegung von Informationen

→ No new info (linked only)

Tier C

VulDB1d ago

CVE-2026-49486 | Apache Airflow up to 3.15.0 FTP Provider FTPSHook.get_conn cleartext transmission

→ No new info (linked only)

CVSS 3.17.5 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

3.15.1

CWECWE-319

PublishedJun 26, 2026

Last enriched1d agov3

Trending Score60

Source articles3

Independent3

Info Completeness10/14

Missing: epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-57914EXP

Apache Kerby: StackOverflow on parsing deeply nested ASN1 structures

HIGHCVE-2026-43870

Apache Thrift: Node.js web_server.js multi-vulnerability

HIGHCVE-2026-57915

Apache Kerby: Kerberos Pre-Authentication Bypass

HIGHCVE-2026-42403EXP

Apache Neethi: Circular Policy Reference Infinite Loop

HIGHCVE-2026-42402EXP

Apache Neethi: Policy Normalization Unbounded Resource Allocation DoS

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 26, 2026

Discovered by ZDM

Jun 26, 2026

Updated: description, severity

Jun 26, 2026

Updated: severity, exploitAvailable, activelyExploited

Jun 26, 2026

Actively Exploited

Jun 26, 2026

Exploit Available

Jun 26, 2026

Patch Available

Jun 26, 2026

Version History

v3

Last enriched 1d ago

v3Tier C1d ago

Updated severity from HIGH to MEDIUM and marked exploit as available and actively exploited.

severityexploitAvailableactivelyExploited

via oss-security

v2Tier C1d ago

Updated description with new details, changed severity to HIGH, and noted that no exploit exists.

descriptionseverity

via VulDB

v11d ago

Initial creation