Description
The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using `FTPSHook` or `FTPSFileTransmitOperator` to move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to `3.15.1` or later, which issues `PROT P` to encrypt the data channel.
Published: 2026-06-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The FTP provider for Apache Airflow creates an ftplib.FTP_TLS connection but never issues the PROT P command, resulting in an unencrypted data channel. This flaw, a CWE‑319 “Cleartext Transmission of Sensitive Information”, allows any file or credential transmitted over the channel to be read by an eavesdropper, compromising the confidentiality of data that passes through Airflow workflows.

Affected Systems

Apache Airflow FTP provider, specifically deployments using FTPSHook or FTPSFileTransmitOperator with versions earlier than 3.15.1. Upgrade apache‑airflow‑providers‑ftp to 3.15.1 or later applies the missing PROT P command and encrypts the data channel.

Risk and Exploitability

The vulnerability could be exploited by an attacker positioned on the same network or able to passively eavesdrop on the FTPS data channel; it does not require special credentials or code execution. The CVSS score of 7.5 indicates high severity, while the EPSS score of < 1% suggests a very low probability of exploitation. The issue is not listed in the CISA KEV catalog. Despite the low EPSS, the potential impact on confidentiality is substantial, warranting urgency in applying the vendor’s patch.

Generated by OpenCVE AI on June 26, 2026 at 18:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade apache‑airflow‑providers‑ftp to version 3.15.1 or later to ensure that the data channel is encrypted with PROT P
  • If an upgrade is not immediately possible, refrain from using FTPSHook or FTPSFileTransmitOperator and switch to secure alternatives such as SFTP or authenticated HTTPS for file transfers
  • Restrict network access to the Airflow instance and the FTPS servers so that only trusted hosts can initiate data connections, reducing the exposure window for potential eavesdroppers

Generated by OpenCVE AI on June 26, 2026 at 18:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using `FTPSHook` or `FTPSFileTransmitOperator` to move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to `3.15.1` or later, which issues `PROT P` to encrypt the data channel.
Title Apache Airflow FTP provider: FTP Provider does not protect FTPS data channel (missing PROT_P)
Weaknesses CWE-319
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-26T18:36:15.852Z

Reserved: 2026-05-31T01:40:24.353Z

Link: CVE-2026-49486

cve-icon Vulnrichment

Updated: 2026-06-26T18:36:15.852Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T18:45:03Z

Weaknesses
  • CWE-319

    Cleartext Transmission of Sensitive Information