CVE-2026-45361

CVE-2026-45361: Apache Airflow Google provider: SSH host key verification disabled in ComputeEngineSSHHook (paramiko AutoAddPolicy default)

Vendor Apache Software Foundation

Product Apache Airflow Google provider

Weakness CWE-322

Published May 25, 2026

Last update June 1, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Apache Airflow providers-google's `ComputeEngineSSHHook` disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to `apache-airflow-providers-google` 22.0.0 or later.

Key dates

Disclosure timeline

May 25, 2026 CVE published

June 1, 2026 Record updated