What is GHSA-qf38-jq28-3ccq?

GHSA-qf38-jq28-3ccq is a security advisory published by GitHub Security Advisories with Critical severity. Apache Airflow SFTP provider: Path traversal in SFTPHook.retrieve_directory

Which CVE IDs does GHSA-qf38-jq28-3ccq cover?

GHSA-qf38-jq28-3ccq covers the following CVE IDs: CVE-2026-50203. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-qf38-jq28-3ccq?

GHSA-qf38-jq28-3ccq has a CVSS v3 base score of 9.1, published by GitHub Security Advisories.

Which products are affected by GHSA-qf38-jq28-3ccq?

GHSA-qf38-jq28-3ccq affects 1 product, including: pip/apache-airflow-providers-sftp:\u003c 5.8.1.

GHSA-qf38-jq28-3ccqCriticalCVSS 9.1

Apache Airflow SFTP provider: Path traversal in SFTPHook.retrieve_directory

Vendor

GitHub Security Advisories

Published

June 17, 2026

Last Modified

June 18, 2026

🔗 CVE IDs covered (1)

CVE-2026-50203 →

📋 Description

A path traversal in the SFTP provider (SFTPHook.retrieve_directory / SFTPOperator(operation=get)) let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required — the attack surface is any deployment downloading directories from an untrusted SFTP server. Upgrade apache-airflow-providers-sftp to 5.8.1 or later.

🎯 Affected products1

pip/apache-airflow-providers-sftp:< 5.8.1

🔗 References (5)

https://nvd.nist.gov/vuln/detail/CVE-2026-50203
https://github.com/apache/airflow/pull/67985
https://lists.apache.org/thread/7f4b284oh44c1n95oq8mh1qc7y1lr9dx
http://www.openwall.com/lists/oss-security/2026/06/16/3
https://github.com/advisories/GHSA-qf38-jq28-3ccq