156 matches found
CVE-2026-38974
A flaw was found in Dulwich. The contrib/paramikovendor.py component is missing Secure Shell SSH host key verification. This vulnerability allows a remote attacker to impersonate a legitimate Git server. By doing so, the attacker could potentially intercept sensitive information or execute...
CVE-2026-38974
Dulwich through 1.1.0 was found to be missing SSH host key verification in contrib/paramikovendor.py...
CVE-2026-58065
The Apache Airflow Git provider runs its git-over-SSH operations with StrictHostKeyChecking=no by default, disabling SSH host-key verification. An attacker who can intercept the network path between an Airflow worker and the Git server can impersonate the server man-in-the-middle, capturing the S...
SUSE CVE-2026-12064
When a user invokes curl using a schemeless URL combined with --proto-default sftp or scp, a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like...
CVE-2026-54100
A flaw was found in the Windows Machine Config Operator WMCO for Red Hat OpenShift Container Platform. WMCO establishes SSH connections to Windows worker nodes without verifying the remote server host key. An adjacent-network attacker who can intercept or redirect WMCO's SSH session can capture...
CVE-2026-54100
A flaw was found in the Windows Machine Config Operator WMCO for Red Hat OpenShift Container Platform. WMCO establishes SSH connections to Windows worker nodes without verifying the remote server host key. An adjacent-network attacker who can intercept or redirect WMCO's SSH session can capture...
EUVD-2026-38234
A flaw was found in the Windows Machine Config Operator WMCO for Red Hat OpenShift Container Platform. WMCO establishes SSH connections to Windows worker nodes without verifying the remote server host key. An adjacent-network attacker who can intercept or redirect WMCO's SSH session can capture...
CVE-2026-54100 Windows-machine-config-operator: windows-machine-config-operator: ssh host key not verified enables credential theft
A flaw was found in the Windows Machine Config Operator WMCO for Red Hat OpenShift Container Platform. WMCO establishes SSH connections to Windows worker nodes without verifying the remote server host key. An adjacent-network attacker who can intercept or redirect WMCO's SSH session can capture...
CVE-2026-54100
CVE-2026-54100 affects the Windows Machine Config Operator (WMCO) used with Red Hat OpenShift Container Platform. The flaw is that WMCO establishes SSH connections to Windows worker nodes without verifying the remote host key, enabling an adjacent-network attacker who can intercept or redirect WM...
CVE-2026-54100
A flaw was found in the Windows Machine Config Operator WMCO for Red Hat OpenShift Container Platform. WMCO establishes SSH connections to Windows worker nodes without verifying the remote server host key. An adjacent-network attacker who can intercept or redirect WMCO's SSH session can capture...
CVE-2026-11745
The CVE-2026-11745 vulnerability affects centraldogma-server-mirror-git versions prior to 0.84.0. The Git mirror SSH client does not verify remote host keys for git+ssh:// connections, enabling an on-path attacker to perform man-in-the-middle attacks and potentially compromise mirrored repositori...
curl: CVE-2026-12064: proto-default skips SSH verification
Summary When a user invokes curl with a schemeless URL and --proto-default sftp or scp, the tool layer guesses the URL is HTTP and skips setting SSH security options CURLOPTSSHHOSTPUBLICKEYSHA256, CURLOPTSSHKNOWNHOSTS. However libcurl's runtime correctly applies --proto-default and connects via...
CVE-2026-45361
Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to...
Key Exchange without Entity Authentication
Overview apache-airflow-providers-google is a Provider for Apache Airflow. Implements apache-airflow-providers-google package Affected versions of this package are vulnerable to Key Exchange without Entity Authentication due to SSH host key verification being disabled by default in the...
PYSEC-2026-166
Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to...
PYSEC-0000-CVE-2026-45361
Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to...
PYSEC-2026-166
Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to...
CVE-2026-45361
Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to...
CVE-2026-45361
Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to...
EUVD-2026-31659
Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to...