CVE-2026-45361— Apache Airflow Google provider: SSH host key verification disabled in ComputeEngineSSHHook (paramiko AutoAddPolicy default)
Possible ATT&CK Techniques 1AI
T1041 · Exfiltration Over C2 ChannelGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-45361
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apache Airflow Google provider: SSH host key verification disabled in ComputeEngineSSHHook (paramiko AutoAddPolicy default)
Source: NVD (National Vulnerability Database)
Vulnerability Description
Apache Airflow providers-google's `ComputeEngineSSHHook` disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to `apache-airflow-providers-google` 22.0.0 or later.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
未进行实体认证的密钥交换
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache Airflow Google provider | 0 ~ 22.0.0 | - |
II. Public POCs for CVE-2026-45361
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-45361
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-45361 (1)
Mailing List Discussions for CVE-2026-45361 (1)
Same Patch Batch · Apache Software Foundation · 2026-05-25 · 5 CVEs total
| CVE-2026-42797 | Apache Syncope: JexlContextBuilder Information Disclosure | |
| CVE-2026-42782 | Apache Syncope: Post-auth RCE via Groovy static | |
| CVE-2026-46745 | Apache Airflow FAB provider: LDAP Filter Injection in FAB Auth Manager _search_ldap reacha | |
| CVE-2026-45249 | Apache ECharts: XSS in Lines series tooltip rendering |
IV. Related Vulnerabilities
Same vendor: Apache Software Foundation
- CVE-2026-42797
Apache Syncope: JexlContextBuilder Information Disclosure - CVE-2026-42782
Apache Syncope: Post-auth RCE via Groovy static - CVE-2026-46745
Apache Airflow FAB provider: LDAP Filter Injection in FAB Au - CVE-2026-45249
Apache ECharts: XSS in Lines series tooltip rendering - CVE-2026-44417
Apache CXF: Incomplete fix for CVE-2025-48913 (Untrusted JMS
Same weakness: CWE-322
- CVE-2026-1354
Zero Motorcycles Firmware Key Exchange without Entity Authen - CVE-2025-13914
Apstra: SSH host key validation vulnerability for managed de - CVE-2026-33697
CoCoS attested TLS is vulnerable to relay attacks via extrac - CVE-2026-1709
Keylime: keylime: authentication bypass allows unauthorized - CVE-2025-62501
SSH Hostkey Misconfiguration Vulnerability in TP-Link Archer
V. Comments for CVE-2026-45361
No comments yet