GHSA-v3mh-27qj-w836HighCVSS 8.1

Apache Airflow's Google provider operators `GCSToSFTPOperator` and ...

Published
July 6, 2026
Last Modified
July 6, 2026

🔗 CVE IDs covered (1)

📋 Description

Apache Airflow's Google provider operators GCSToSFTPOperator and GCSTimeSpanFileTransformOperator joined GCS object names returned by the bucket listing API directly to a destination filesystem path without normalisation or containment check. A user with write access to the source GCS bucket (typically a different trust principal than the DAG author — partner uploads, ingest-only service accounts, public-data buckets) could create an object whose name contains .. segments and cause the DAG run to write the downloaded blob outside the configured destination (the SFTP destination_path for GCSToSFTPOperator; the worker-local temp directory for GCSTimeSpanFileTransformOperator), enabling overwrite of arbitrary files on the SFTP server or the worker host. Affects deployments that ingest from buckets writable by less-trusted principals. Users are advised to upgrade to apache-airflow-providers-google 22.2.1 or later.

🔗 References (5)