Security Advisory - Published 2026-06-18 - Apache Workflow Platforms

Airflow and DolphinScheduler CVEs: check workflow paths, APIs, and secrets

Workflow platforms sit close to credentials, data stores, file transfers, and scheduled jobs. CVE-2026-50203 affects Airflow SFTP provider behavior. CVE-2026-32966 and CVE-2026-32967 affect DolphinScheduler authorization boundaries.

Defensive scope: use this page to review owned workflow systems, approved client environments, and internal scheduler hosts.

Owner self-check

pip show apache-airflow-providers-sftp apache-airflow 2>/dev/null
airflow dags list 2>/dev/null | head -80
find dags plugins logs -type f -mtime -10 2>/dev/null | head -120
grep -R "SFTPHook\\|SFTPOperator\\|datasource\\|/v2" dags logs conf 2>/dev/null | head -120

What to review

  • Airflow DAGs that pull directories from SFTP servers controlled by vendors, customers, or third parties.
  • Unexpected files written outside expected DAG output, temp, import, or landing directories.
  • DolphinScheduler API exposure, datasource metadata access, and v2 experimental interface access.
  • Scheduler service accounts, database credentials, object storage keys, and recent job edits.

Safe fix path

  1. Patch Airflow SFTP provider and DolphinScheduler to fixed versions from the project advisories.
  2. Restrict scheduler APIs to private networks, SSO, or VPN paths.
  3. Review DAG output directories and datasource metadata access logs.
  4. Rotate secrets if jobs wrote unexpected files or datasource metadata was exposed.

Repair help

Use Ping7 CVE Repair if a workflow host touched production credentials, vendor SFTP paths, or datasource metadata during the exposure window.

References