CVE-2026-45361 Overview
CVE-2026-45361 affects the apache-airflow-providers-google package, where the ComputeEngineSSHHook disables SSH host-key verification by default. This configuration exposes SSH sessions between Airflow workers and Google Compute Engine virtual machines to interception or modification by in-path network attackers. The flaw is categorized under [CWE-322] (Key Exchange without Entity Authentication). Apache has released apache-airflow-providers-google version 22.0.0 to address the issue.
Critical Impact
An adversary positioned on the network path between an Airflow worker and a Compute Engine VM can intercept credentials, execute man-in-the-middle attacks, and tamper with SSH session traffic without detection.
Affected Products
- Apache Airflow providers-google package versions prior to 22.0.0
- Deployments using ComputeEngineSSHHook to connect to Google Compute Engine VMs
- Airflow workflows orchestrating SSH-based tasks against GCP instances
Discovery Timeline
- 2026-05-25 - CVE-2026-45361 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45361
Vulnerability Analysis
The ComputeEngineSSHHook class in apache-airflow-providers-google establishes SSH connections from Airflow workers to Compute Engine VMs. By default, the hook does not verify the remote host's SSH public key against a trusted known_hosts entry. The Airflow worker accepts any key presented during the SSH handshake.
This behavior eliminates the entity authentication step that SSH normally enforces. An attacker who can intercept network traffic between the worker and the target VM can present their own host key. The Airflow worker proceeds with the handshake and forwards credentials, commands, and data to the attacker-controlled endpoint.
The vulnerability requires an in-path network position, which raises attack complexity. However, successful exploitation compromises the confidentiality, integrity, and availability of SSH-controlled workloads.
Root Cause
The root cause is an insecure default in the SSH client configuration. The ComputeEngineSSHHook initializes the underlying SSH client with host-key checking disabled, mapping to [CWE-322]. The hook relies solely on transport-layer assumptions about GCP internal networks without cryptographic verification of the server identity.
Attack Vector
An attacker who controls or compromises a network segment between the Airflow worker and the Compute Engine VM can perform an active man-in-the-middle attack. The adversary intercepts the TCP connection, completes the SSH handshake with their own key pair, and proxies traffic to the legitimate VM. The attacker reads or modifies any command output, file transfer, or credential material flowing through the session.
The vulnerability is described in the Apache mailing list advisory and addressed in the upstream pull request.
Detection Methods for CVE-2026-45361
Indicators of Compromise
- Unexpected SSH host key changes recorded in Airflow worker logs or known_hosts files when verification is enabled
- Anomalous source IPs terminating SSH sessions that should target Compute Engine internal addresses
- Unexplained latency or connection resets during ComputeEngineSSHOperator task execution
Detection Strategies
- Inventory all DAGs and tasks that import or instantiate ComputeEngineSSHHook or ComputeEngineSSHOperator
- Audit installed provider versions across Airflow workers with pip show apache-airflow-providers-google
- Review network flow logs for SSH connections originating from Airflow workers to verify expected destinations
Monitoring Recommendations
- Enable VPC Flow Logs on GCP networks carrying Airflow-to-VM SSH traffic and alert on unexpected hops
- Forward Airflow task logs to a centralized logging platform to detect host-key warnings after remediation
- Monitor for new or modified Airflow connections of type gcpssh that disable host-key checks
How to Mitigate CVE-2026-45361
Immediate Actions Required
- Upgrade apache-airflow-providers-google to version 22.0.0 or later on all Airflow workers and schedulers
- Restart Airflow worker, scheduler, and triggerer processes to load the patched provider
- Re-deploy any custom Docker images or Kubernetes pods that bundle the vulnerable provider version
Patch Information
Apache has released apache-airflow-providers-google 22.0.0, which enables SSH host-key verification by default in ComputeEngineSSHHook. The fix is tracked in Apache Airflow pull request #66746 and announced via the Openwall OSS Security list.
Workarounds
- Explicitly populate a known_hosts file with verified Compute Engine VM host keys and configure the hook to use it
- Restrict Airflow worker network paths to GCP VMs using private VPC peering or IAP TCP forwarding to reduce in-path exposure
- Rotate any SSH credentials, service account keys, or secrets that may have transited unverified sessions
# Upgrade the provider package to the patched release
pip install --upgrade 'apache-airflow-providers-google>=22.0.0'
# Verify the installed version
pip show apache-airflow-providers-google | grep -i version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
