High severity8.1NVD Advisory· Published May 25, 2026· Updated Jun 1, 2026
CVE-2026-45361
CVE-2026-45361
Description
Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to apache-airflow-providers-google 22.0.0 or later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- cpe:2.3:a:apache:apache-airflow-providers-google:*:*:*:*:*:*:*:*Range: <22.0.0
Patches
Vulnerability mechanics
References
3- github.com/apache/airflow/pull/66746nvdIssue TrackingPatch
- www.openwall.com/lists/oss-security/2026/05/24/9nvdMailing ListThird Party Advisory
- lists.apache.org/thread/3lpj7ppwxp7jtp81rnxk75xvln7qd7h2nvd
News mentions
1- Apache Ships 12 Patches Across 7 Projects: Shiro, Airflow, Syncope Lead the BatchVypr Intelligence · May 28, 2026