Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
2771 articles · 174989 vulns · 37/41 feeds (7d)
← Back to list
—
CVE-2026-58065EXPLOITEDPATCHED
apache software foundation · apache airflow git provider

Apache Airflow Git provider: Git provider hook defaults to StrictHostKeyChecking=no, disabling SSH host-key verification

Description

The Apache Airflow Git provider runs its git-over-SSH operations with `StrictHostKeyChecking=no` by default, disabling SSH host-key verification. An attacker who can intercept the network path between an Airflow worker and the Git server can impersonate the server (man-in-the-middle), capturing the SSH deploy key or injecting malicious repository content. Deployments that use the Git DAG bundle or Git provider to clone over SSH with a deploy key are affected. The fix changes the default to verify host keys; upgrade to apache-airflow-providers-git `0.4.1` or later and configure a `known_hosts` file.

Affected Products

VendorProductVersions
apache software foundationapache airflow git provider0

References

  • https://github.com/apache/airflow/pull/69103(patch)
  • https://lists.apache.org/thread/fjmclngfksz2kp7llpcjxzdz568h0zhc(vendor-advisory)

Related News (2 articles)

Tier C
oss-security6h ago
CVE-2026-58065: Apache Airflow Git provider: Git provider hook defaults to StrictHostKeyChecking=no, disabling SSH host-key verification
→ No new info (linked only)
Tier C
VulDB7h ago
CVE-2026-58065 | Apache Airflow up to 0.4.0 Git Provider channel accessible
→ No new info (linked only)
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
0.4.1
CWECWE-322
PublishedJul 13, 2026
Last enriched7h agov2
Trending Score51
Source articles3
Independent2
Info Completeness8/14
Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

NONECVE-2026-59245EXP
Apache Airflow FAB provider: FAB auth manager: a DAG named "DAGs" hijacks the global all-DAGs permission (access_control privilege escalation via resource_name() collision)
Trending: 52
NONECVE-2026-49365
Apache Camel: Camel-Netty-HTTP: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients
Trending: 18
NONECVE-2026-49099
Apache Camel Salesforce: Non-Camel-prefixed Exchange header constants bypass the HTTP header filter, allowing an HTTP client to influence internal behaviour
Trending: 18
NONECVE-2026-49098
Apache Camel: Camel-Kafka: The kafka.OVERRIDE_TOPIC (and other kafka.*) Exchange header constants used non-Camel-prefixed names that bypass the upstream HTTP header filter, allowing an HTTP client to redirect Kafka messages to an arbitrary topic
Trending: 18
MEDIUMCVE-2026-49296
Apache Airflow: Per-DAG read bypass discloses co-located DAGs' source via GET /api/v2/dagSources/{dag_id}
Trending: 18

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 13, 2026
Discovered by ZDM
Jul 13, 2026
Updated: description, severity, activelyExploited
Jul 13, 2026
Actively Exploited
Jul 13, 2026
Patch Available
Jul 13, 2026

Version History

v2
Last enriched 7h ago
v2Tier C7h ago

Updated severity to CRITICAL, changed exploit availability to false, and provided a new description detailing the vulnerability.

descriptionseverityactivelyExploited
via VulDB
v18h ago

Initial creation