Apache Airflow Google Provider SSH Host Key Verification Disabled

Apache Airflow's ComputeEngineSSHHook disables SSH host-key verification by default, creating a critical vulnerability in data pipeline infrastructure. This means SSH connections between Airflow workers and Google Compute Engine VMs lack protection against man-in-the-middle (MITM) attacks. Any attacker positioned on the network path can intercept, eavesdrop on, or modify SSH sessions without detection. Organizations using apache-airflow-providers-google versions before 22.0.0 are exposed to credential theft, command injection, and unauthorized data exfiltration through compromised SSH channels. This vulnerability is particularly dangerous in cloud environments where multiple services communicate across networks, making it a high-impact supply chain risk for data engineering teams.

Casky's Claude-powered analysis would detect attack patterns associated with this vulnerability by mapping defensive gaps to MITRE ATT&CK techniques like T1021.004 (SSH) and T1556 (Modify Authentication Process). Extended reasoning across Casky's 754 mapped security skills would identify suspicious indicators: unencrypted or unverified SSH sessions in Airflow logs, unexpected network traffic to Compute Engine instances, SSH connections bypassing certificate validation, and lateral movement patterns through Airflow worker nodes. Practitioners using Casky would see findings highlighting configuration weaknesses in provider settings, missing host-key verification parameters, and recommendations to enforce strict SSH transport security policies. The platform would correlate this vulnerability with related infrastructure-as-code misconfigurations and suggest automated detection rules for abnormal SSH session behavior in data pipeline environments.