CVE-2026-45361 PUBLISHED

Apache Airflow Google provider: SSH host key verification disabled in ComputeEngineSSHHook (paramiko AutoAddPolicy default)

Assigner: apache
Reserved: 11.05.2026 Published: 25.05.2026 Updated: 25.05.2026

Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to apache-airflow-providers-google 22.0.0 or later.

Product Status

Vendor	Apache Software Foundation
Product	Apache Airflow Google provider
Versions	Default: unaffected affected from 0 to 22.0.0 (excl.)

Credits

Jarek Potiuk remediation developer

References

https://github.com/apache/airflow/pull/66746
https://lists.apache.org/thread/3lpj7ppwxp7jtp81rnxk75xvln7qd7h2

Problem Types

CWE-322: (Key Exchange without Entity Authentication) CWE