Vulnerability Description
The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using `FTPSHook` or `FTPSFileTransmitOperator` to move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to `3.15.1` or later, which issues `PROT P` to encrypt the data channel.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Apache-Airflow-Providers-Ftp | < 3.15.1 |
Related Weaknesses (CWE)
References
- https://github.com/apache/airflow/pull/67946Issue TrackingPatch
- https://lists.apache.org/thread/gwnsxlt9hfj5pc543wxtogbnjdn04xj1Mailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2026/06/26/1
FAQ
What is CVE-2026-49486?
CVE-2026-49486 is a vulnerability with a CVSS score of 7.5 (HIGH). The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was trans...
How severe is CVE-2026-49486?
CVE-2026-49486 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-49486?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Apache-Airflow-Providers-Ftp.