Security Advisory - Published 2026-06-18 - Apache Workflow Platforms
Airflow and DolphinScheduler CVEs: check workflow paths, APIs, and secrets
Workflow platforms sit close to credentials, data stores, file transfers, and scheduled jobs. CVE-2026-50203 affects Airflow SFTP provider behavior. CVE-2026-32966 and CVE-2026-32967 affect DolphinScheduler authorization boundaries.
Owner self-check
pip show apache-airflow-providers-sftp apache-airflow 2>/dev/null
airflow dags list 2>/dev/null | head -80
find dags plugins logs -type f -mtime -10 2>/dev/null | head -120
grep -R "SFTPHook\\|SFTPOperator\\|datasource\\|/v2" dags logs conf 2>/dev/null | head -120 What to review
- Airflow DAGs that pull directories from SFTP servers controlled by vendors, customers, or third parties.
- Unexpected files written outside expected DAG output, temp, import, or landing directories.
- DolphinScheduler API exposure, datasource metadata access, and v2 experimental interface access.
- Scheduler service accounts, database credentials, object storage keys, and recent job edits.
Safe fix path
- Patch Airflow SFTP provider and DolphinScheduler to fixed versions from the project advisories.
- Restrict scheduler APIs to private networks, SSO, or VPN paths.
- Review DAG output directories and datasource metadata access logs.
- Rotate secrets if jobs wrote unexpected files or datasource metadata was exposed.
Repair help
Use Ping7 CVE Repair if a workflow host touched production credentials, vendor SFTP paths, or datasource metadata during the exposure window.