CVE-2026-49297 - Apache Airflow Google provider: Path traversal via GCS object names → local/SFTP filesystem (GCSToSFTPOperator + GCSTimeSpanFileTransformOperator)
CVE ID :CVE-2026-49297 Published : July 6, 2026, 11:16 a.m. | 9 hours, 58 minutes ago Description :Apache Airflow's Google provider operators `GCSToSFTPOperator` and `GCSTimeSpanFileTransformOperator` joined GCS object names returned by the bucket listing API directly to a destination...