The Apache Airflow Git provider runs its git-over-SSH operations with `StrictHostKeyChecking=no` by default, disabling SSH host-key verification. An attacker who can intercept the network path between an Airflow worker and the Git server can impersonate the server (man-in-the-middle), capturing the SSH deploy key or injecting malicious repository content. Deployments that use the Git DAG bundle or Git provider to clone over SSH with a deploy key are affected. The fix changes the default to verify host keys; upgrade to apache-airflow-providers-git `0.4.1` or later and configure a `known_hosts` file.
References
| Link | Resource |
|---|---|
| https://github.com/apache/airflow/pull/69103 | Issue Tracking Patch |
| https://lists.apache.org/thread/fjmclngfksz2kp7llpcjxzdz568h0zhc | Mailing List Vendor Advisory |
| http://www.openwall.com/lists/oss-security/2026/07/13/3 | Mailing List Third Party Advisory |
Configurations
History
14 Jul 2026, 01:08
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:apache:apache-airflow-providers-git:*:*:*:*:*:*:*:* | |
| First Time |
Apache
Apache apache-airflow-providers-git |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.1 |
| References | () https://github.com/apache/airflow/pull/69103 - Issue Tracking, Patch | |
| References | () https://lists.apache.org/thread/fjmclngfksz2kp7llpcjxzdz568h0zhc - Mailing List, Vendor Advisory | |
| References | () http://www.openwall.com/lists/oss-security/2026/07/13/3 - Mailing List, Third Party Advisory |
13 Jul 2026, 20:16
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
13 Jul 2026, 16:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-07-13 16:16
Updated : 2026-07-14 14:16
NVD link : CVE-2026-58065
Mitre link : CVE-2026-58065
CVE.ORG link : CVE-2026-58065
JSON object : View
Products Affected
apache
- apache-airflow-providers-git
CWE
CWE-322
Key Exchange without Entity Authentication
