CVE-2026-58065 PUBLISHED

Apache Airflow Git provider: Git provider hook defaults to StrictHostKeyChecking=no, disabling SSH host-key verification

Assigner: apache
Reserved: 28.06.2026 Published: 13.07.2026 Updated: 13.07.2026

The Apache Airflow Git provider runs its git-over-SSH operations with StrictHostKeyChecking=no by default, disabling SSH host-key verification. An attacker who can intercept the network path between an Airflow worker and the Git server can impersonate the server (man-in-the-middle), capturing the SSH deploy key or injecting malicious repository content. Deployments that use the Git DAG bundle or Git provider to clone over SSH with a deploy key are affected. The fix changes the default to verify host keys; upgrade to apache-airflow-providers-git 0.4.1 or later and configure a known_hosts file.

Product Status

Vendor Apache Software Foundation
Product Apache Airflow Git provider
Versions Default: unaffected
  • affected from 0 to 0.4.1 (excl.)

Credits

  • Siyang Wu (independent researcher) finder
  • Ephraim Anierobi remediation developer

References

Problem Types

  • CWE-322: Key Exchange without Entity Authentication CWE