PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-58065 Apache Software Foundation CVE debrief

The Apache Airflow Git provider runs its git-over-SSH operations with `StrictHostKeyChecking=no` by default, disabling SSH host-key verification. This allows an attacker who can intercept the network path between an Airflow worker and the Git server to impersonate the server (man-in-the-middle), capturing the SSH deploy key or injecting malicious repository content. Deployments using the Git DAG bundle or Git provider to clone over SSH with a deploy key are affected.

Vendor
Apache Software Foundation
Product
Apache Airflow Git provider
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-14
Advisory published
2026-07-13
Advisory updated
2026-07-14

Who should care

Users of Apache Airflow with Git provider configured for SSH deployments should verify their configurations and update to apache-airflow-providers-git `0.4.1` or later. Ensure a `known_hosts` file is configured to verify host keys.

Technical summary

The Apache Airflow Git provider's default configuration for git-over-SSH operations is `StrictHostKeyChecking=no`, which disables SSH host-key verification. This makes it possible for an attacker to intercept network traffic between an Airflow worker and a Git server, impersonating the server to capture SSH deploy keys or inject malicious repository content. The vulnerability affects deployments that use the Git DAG bundle or Git provider for SSH cloning with a deploy key. The fix changes the default behavior to verify host keys; users are advised to upgrade to apache-airflow-providers-git version `0.4.1` or later and configure a `known_hosts` file.

Defensive priority

High priority due to the potential for man-in-the-middle attacks and unauthorized access to sensitive repository content.

Recommended defensive actions

  • Upgrade to apache-airflow-providers-git version `0.4.1` or later.
  • Configure a `known_hosts` file to verify SSH host keys.
  • Review and update SSH deployment configurations to ensure secure practices.
  • Monitor for suspicious network activity between Airflow workers and Git servers.
  • Implement additional security measures such as SSH key rotation and repository access controls.

Evidence notes

The CVE record was published on 2026-07-13T16:16:41.757Z and was last modified on 2026-07-14T01:08:34.450Z. The NVD entry is currently Analyzed. References include vendor advisories and issue tracking links.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T16:16:41.757Z and has not been modified since then. The NVD entry is currently Analyzed.