CVE-2026-58065

The Apache Airflow Git provider runs its git-over-SSH operations with `StrictHostKeyChecking=no` by default, disabling SSH host-key verification. An attacker who can intercept the network path between an Airflow worker and the Git server can impersonate the server (man-in-the-middle), capturing the SSH deploy key or injecting malicious repository content. Deployments that use the Git DAG bundle or Git provider to clone over SSH with a deploy key are affected. The fix changes the default to verify host keys; upgrade to apache-airflow-providers-git `0.4.1` or later and configure a `known_hosts` file.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:apache-airflow-providers-git:*:*:*:*:*:*:*:*

History

14 Jul 2026, 01:08

Type Values Removed Values Added
CPE cpe:2.3:a:apache:apache-airflow-providers-git:*:*:*:*:*:*:*:*
First Time Apache
Apache apache-airflow-providers-git
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.1
References () https://github.com/apache/airflow/pull/69103 - () https://github.com/apache/airflow/pull/69103 - Issue Tracking, Patch
References () https://lists.apache.org/thread/fjmclngfksz2kp7llpcjxzdz568h0zhc - () https://lists.apache.org/thread/fjmclngfksz2kp7llpcjxzdz568h0zhc - Mailing List, Vendor Advisory
References () http://www.openwall.com/lists/oss-security/2026/07/13/3 - () http://www.openwall.com/lists/oss-security/2026/07/13/3 - Mailing List, Third Party Advisory

13 Jul 2026, 20:16

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2026/07/13/3 -

13 Jul 2026, 16:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-07-13 16:16

Updated : 2026-07-14 14:16


NVD link : CVE-2026-58065

Mitre link : CVE-2026-58065

CVE.ORG link : CVE-2026-58065


JSON object : View

Products Affected

apache

  • apache-airflow-providers-git
CWE
CWE-322

Key Exchange without Entity Authentication