Skip to content
Verified reproduction

CVE-2026-49297: Apache Airflow Google provider path traversal via GCS object names

CVE-2026-49297 is verified against apache-airflow-providers-google · pip affected versions: before 22.2.1 (both bugs present in 22.0.0; GCSTimeSpanFileTransformOperator fixed in 22.1.0 via PR #67509; GCSToSFTPOperator fixed in 22.2.0 via PR #67667) fixed version: 22.2.1 vulnerability class: Path Traversal This medium reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00257.

REPRO-2026-00257 apache-airflow-providers-google · pip Path Traversal Variant found Jul 6, 2026 .txt
Severity MEDIUM
Confidence HIGH
Reproduced in 56m 55s
Tool calls 352
Spend $10.75
Affected before 22.2.1 (both bugs present in 22.0.0; GCSTimeSpanFileTransformOperator fixed in 22.1.0 via PR #67509; GCSToSFTPOperator fixed in 22.2.0 via PR #67667)
Fixed in 22.2.1
$ pruva-verify REPRO-2026-00257
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00257/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

Apache Airflow's Google provider operators GCSToSFTPOperator and GCSTimeSpanFileTransformOperator join GCS object names returned by the bucket listing API directly to a destination filesystem path without normalisation or containment check. A user with write access to the source GCS bucket can create an object whose name contains '..' segments and cause the DAG run to write the downloaded blob outside the configured destination (SFTP destination_path for GCSToSFTPOperator; worker-local temp directory for GCSTimeSpanFileTransformOperator), enabling arbitrary file overwrite on the SFTP server or worker host. Affects deployments that ingest from buckets writable by less-trusted principals. Fixed in apache-airflow-providers-google 22.2.1.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.