CVE-2026-45361 Apache Software Foundation CVE debrief

Who should care

Organizations running Apache Airflow with Google Cloud provider integrations for Compute Engine management; DevOps and data engineering teams managing cloud infrastructure automation; security teams monitoring SSH security posture in cloud-native data pipelines; compliance teams assessing cryptographic authentication controls in automated workflows.

Technical summary

The `ComputeEngineSSHHook` in apache-airflow-providers-google versions prior to 22.0.0 defaults to disabling SSH host-key verification. This configuration allows network-positioned attackers to perform man-in-the-middle attacks against SSH sessions between Airflow workers and Google Compute Engine VMs, potentially intercepting credentials, exfiltrating data, or executing unauthorized commands. The vulnerability is classified as CWE-322 (Key Exchange without Entity Authentication). The attack requires network access to the communication path but no user interaction or privileges. Resolution requires upgrading to version 22.0.0 or explicitly enabling host-key verification in hook configurations.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade apache-airflow-providers-google to version 22.0.0 or later
• Review existing Airflow DAGs using ComputeEngineSSHHook for SSH host-key verification configuration
• Enable strict host-key verification in ComputeEngineSSHHook configurations where not already enforced
• Audit network paths between Airflow workers and Compute Engine VMs for potential interception points
• Monitor for anomalous SSH connection patterns or unexpected host-key changes in production environments

Evidence notes

CVE published 2026-05-25; modified 2026-05-26. NVD status: Undergoing Analysis. Weakness: CWE-322 (Key Exchange without Entity Authentication). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H.

Official resources