HIGH 7.5

PYSEC-2026-238

Details

The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using `FTPSHook` or `FTPSFileTransmitOperator` to move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to `3.15.1` or later, which issues `PROT P` to encrypt the data channel.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / apache-airflow-providers-ftp

Introduced in: 0 Fixed in: 3.15.1

Fix pip install --upgrade 'apache-airflow-providers-ftp>=3.15.1'

References

http://www.openwall.com/lists/oss-security/2026/06/26/1 [WEB]
https://lists.apache.org/thread/gwnsxlt9hfj5pc543wxtogbnjdn04xj1 [ADVISORY]
https://github.com/apache/airflow/pull/67946 [FIX]