QwikSec

Security Database

CVE

CWE

Training

CVE-2026-45361

Published: May 25, 2026

Modified: Jun 1, 2026

PUBLISHED

Description

Apache Airflow providers-google's `ComputeEngineSSHHook` disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to `apache-airflow-providers-google` 22.0.0 or later.

Vendor	Product	Versions
Apache Software Foundation	Apache Airflow Google provider	affected `0 - < 22.0.0`

Weaknesses (CWE)

References

https://github.com/apache/airflow/pull/66746

patch

https://lists.apache.org/thread/[email protected]

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.