Cyber Resilience

CVE-2026-45361

HighUpdated

Published: 25 May 2026

Published
25 May 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0060 44.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-45361 is a high-severity Key Exchange without Entity Authentication (CWE-322) vulnerability in Apache Apache-Airflow-Providers-Google. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 44.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Apache Airflow providers-google's `ComputeEngineSSHHook` disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to `apache-airflow-providers-google`…

more

22.0.0 or later.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

Missing SSH host key verification (CWE-322) directly enables in-path MITM interception/modification of SSH sessions.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40542Same vendor: Apache
CVE-2026-41603Same vendor: Apache
CVE-2025-68637Same vendor: Apache
CVE-2026-24281Same vendor: Apache
CVE-2025-13914Shared CWE-322
CVE-2026-24734Same vendor: Apache
CVE-2025-62501Shared CWE-322
CVE-2024-47519Shared CWE-322
CVE-2026-31923Same vendor: Apache
CVE-2026-27314Same vendor: Apache

Affected Assets

apache
apache-airflow-providers-google
≤ 22.0.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References