Severity: low Affected versions:
- Apache Airflow Google provider (apache-airflow-providers-google) before 22.0.0 Description: Apache Airflow providers-google's `ComputeEngineSSHHook` disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to `apache-airflow-providers-google` 22.0.0 or later. Credit: Michael Winser (Mythos scan — internal partner; no credit-form question needed) (finder) Jarek Potiuk (remediation developer) References: https://github.com/apache/airflow/pull/66746 https://airflow.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-45361
