PatchSiren cyber security CVE debrief
CVE-2026-58065 Apache Software Foundation CVE debrief
The Apache Airflow Git provider runs its git-over-SSH operations with `StrictHostKeyChecking=no` by default, disabling SSH host-key verification. This allows an attacker who can intercept the network path between an Airflow worker and the Git server to impersonate the server (man-in-the-middle), capturing the SSH deploy key or injecting malicious repository content. Deployments using the Git DAG bundle or Git provider to clone over SSH with a deploy key are affected.
- Vendor
- Apache Software Foundation
- Product
- Apache Airflow Git provider
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-14
Who should care
Users of Apache Airflow with Git provider configured for SSH deployments should verify their configurations and update to apache-airflow-providers-git `0.4.1` or later. Ensure a `known_hosts` file is configured to verify host keys.
Technical summary
The Apache Airflow Git provider's default configuration for git-over-SSH operations is `StrictHostKeyChecking=no`, which disables SSH host-key verification. This makes it possible for an attacker to intercept network traffic between an Airflow worker and a Git server, impersonating the server to capture SSH deploy keys or inject malicious repository content. The vulnerability affects deployments that use the Git DAG bundle or Git provider for SSH cloning with a deploy key. The fix changes the default behavior to verify host keys; users are advised to upgrade to apache-airflow-providers-git version `0.4.1` or later and configure a `known_hosts` file.
Defensive priority
High priority due to the potential for man-in-the-middle attacks and unauthorized access to sensitive repository content.
Recommended defensive actions
- Upgrade to apache-airflow-providers-git version `0.4.1` or later.
- Configure a `known_hosts` file to verify SSH host keys.
- Review and update SSH deployment configurations to ensure secure practices.
- Monitor for suspicious network activity between Airflow workers and Git servers.
- Implement additional security measures such as SSH key rotation and repository access controls.
Evidence notes
The CVE record was published on 2026-07-13T16:16:41.757Z and was last modified on 2026-07-14T01:08:34.450Z. The NVD entry is currently Analyzed. References include vendor advisories and issue tracking links.
Official resources
-
CVE-2026-58065 CVE record
CVE.org
-
CVE-2026-58065 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Mailing List, Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T16:16:41.757Z and has not been modified since then. The NVD entry is currently Analyzed.