Apache Airflow's Google provider operators `GCSToSFTPOperator` and `GCSTimeSpanFileTransformOperator` joined GCS object names returned by the bucket listing API directly to a destination filesystem path without normalisation or containment check. A user with write access to the source GCS bucket (typically a different trust principal than the DAG author — partner uploads, ingest-only service accounts, public-data buckets) could create an object whose name contains `..` segments and cause the DAG run to write the downloaded blob outside the configured destination (the SFTP `destination_path` for `GCSToSFTPOperator`; the worker-local temp directory for `GCSTimeSpanFileTransformOperator`), enabling overwrite of arbitrary files on the SFTP server or the worker host. Affects deployments that ingest from buckets writable by less-trusted principals. Users are advised to upgrade to `apache-airflow-providers-google` 22.2.1 or later.
Casky was already ahead
This CVE exploits attack patterns that Casky's 351matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
Apache Airflow's Google Cloud Storage provider operators contain a critical path traversal vulnerability (CWE-22) in `GCSToSFTPOperator` and `GCSTimeSpanFileTransformOperator`. These operators fail to sanitize or validate GCS object names before concatenating them with destination filesystem paths, allowing attackers to use directory traversal sequences like `..` to write files outside intended directories. This vulnerability is particularly dangerous because it can be exploited by users with write access to source GCS buckets—such as partner service accounts, data ingestion services, or public bucket contributors—who may have different trust levels than DAG authors. The CVSS 8.1 score reflects the high severity: attackers can achieve arbitrary file write on systems running Airflow workers, potentially leading to code execution, configuration tampering, or privilege escalation.
Casky.ai's 351 matching skills detect this vulnerability through Claude AI's analysis of two critical MITRE ATT&CK techniques: TA0001 (Initial Access) and TA0007 (Discovery). Practitioners using Casky would observe detection patterns identifying suspicious GCS object naming conventions containing path traversal payloads, combined with file write operations outside expected directories on worker nodes. The platform's extended reasoning capabilities map the attack chain: initial access via compromised or untrusted bucket credentials flows into discovery of target filesystem paths, followed by execution of the traversal attack. Findings would highlight the lack of input normalization in operator code, flag mismatches between intended and actual file destinations, and correlate GCS API calls with unexpected filesystem modifications—enabling security teams to identify both vulnerable deployments and active exploitation attempts before files are written to sensitive locations.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-49297.
Casky has 351 skills that investigate the attack patterns behind CVE-2026-49297. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →Access with Stolen Session Cookie
penetration testing · medium
Account Access Removal
cloud security · low
Account Manipulation
cloud security · low
Account Manipulation: Account Linking
cloud security · low
Account Manipulation: Change Account Details
cloud security · low
Account Manipulation: Change of Payment Details
phishing defense · medium
Account Takeover
red teaming · high
Account Takeover
red teaming · high
Account Takeover
phishing defense · medium
Account Takeover: Exposed Login Credential
phishing defense · medium
Account Takeover: Exposed Login Credential
red teaming · high
Account Takeover: Exposed Login Credential
threat hunting · low
analyzing-cloud-storage-access-patterns
cloud security · low
analyzing-ios-app-security-with-objection
mobile security · low
analyzing-malicious-url-with-urlscan
phishing defense · medium
analyzing-office365-audit-logs-for-compromise
cloud security · low
analyzing-persistence-mechanisms-in-linux
threat hunting · low
analyzing-powershell-empire-artifacts
threat hunting · low
auditing-aws-s3-bucket-permissions
cloud security · low
auditing-azure-active-directory-configuration
cloud security · low
auditing-cloud-with-cis-benchmarks
cloud security · low
auditing-gcp-iam-permissions
cloud security · low
auditing-terraform-infrastructure-for-security
cloud security · low
auditing-uefi-firmware-with-chipsec
hardware firmware security · low
Browser Session Hijacking
cloud security · low
building-c2-infrastructure-with-sliver-framework
red teaming · high
building-c2-redirector-infrastructure
red teaming · high
building-cloud-siem-with-sentinel
cloud security · low
building-devsecops-pipeline-with-gitlab-ci
devsecops · low
building-patch-tuesday-response-process
vulnerability management · medium
building-red-team-c2-infrastructure-with-havoc
red teaming · high
building-threat-hunt-hypothesis-framework
threat hunting · low
building-vulnerability-aging-and-sla-tracking
vulnerability management · medium
building-vulnerability-dashboard-with-defectdojo
vulnerability management · medium
building-vulnerability-exception-tracking-system
vulnerability management · medium
bypassing-authentication-with-forced-browsing
web application security · medium
coercing-authentication-with-coercer-petitpotam
red teaming · high
conducting-api-security-testing
penetration testing · medium
conducting-cloud-penetration-testing
cloud security · low
conducting-domain-persistence-with-dcsync
red teaming · high
conducting-external-reconnaissance-with-osint
penetration testing · medium
conducting-full-scope-red-team-engagement
red teaming · high
conducting-internal-network-penetration-test
penetration testing · medium
conducting-internal-reconnaissance-with-bloodhound-ce
red teaming · high
conducting-mobile-app-penetration-test
penetration testing · medium
conducting-network-penetration-test
penetration testing · medium
conducting-pass-the-ticket-attack
red teaming · high
conducting-wireless-network-penetration-test
penetration testing · medium
Convert to Cryptocurrency
cloud security · low
Create Fake Materials: Fake Website
phishing defense · medium
Create Fake Materials: Fake Website
phishing defense · medium
Create Fake Materials: Fake Website
threat hunting · low
Create Fake Materials: Fake Website
phishing defense · medium
Create Fake Materials: Fake Website
penetration testing · medium
Create Fake Materials: Fake Website
phishing defense · medium
Delete Relevant Emails
phishing defense · medium
detecting-anomalies-in-industrial-control-systems
ot ics security · medium
detecting-api-enumeration-attacks
api security · medium
detecting-attacks-on-historian-servers
ot ics security · medium
detecting-attacks-on-scada-systems
ot ics security · medium
detecting-aws-guardduty-findings-automation
cloud security · low
detecting-aws-iam-privilege-escalation
cloud security · low
detecting-azure-lateral-movement
cloud security · low
detecting-azure-service-principal-abuse
cloud security · low
detecting-azure-storage-account-misconfigurations
cloud security · low
detecting-broken-object-property-level-authorization
api security · medium
detecting-cloud-threats-with-guardduty
cloud security · low
detecting-dcsync-attack-in-active-directory
threat hunting · low
detecting-dll-sideloading-attacks
threat hunting · low
detecting-dnp3-protocol-anomalies
ot ics security · medium
detecting-email-forwarding-rules-attack
threat hunting · low
detecting-golden-ticket-attacks-in-kerberos-logs
threat hunting · low
detecting-insider-threat-behaviors
threat hunting · low
detecting-kerberoasting-attacks
threat hunting · low
detecting-lateral-movement-with-splunk
threat hunting · low
detecting-malicious-scheduled-tasks-with-sysmon
threat hunting · low
detecting-mimikatz-execution-patterns
threat hunting · low
detecting-misconfigured-azure-storage
cloud security · low
detecting-modbus-command-injection-attacks
ot ics security · medium
detecting-modbus-protocol-anomalies
ot ics security · medium
detecting-ntlm-relay-with-event-correlation
threat hunting · low
detecting-pass-the-hash-attacks
threat hunting · low
detecting-privilege-escalation-attempts
threat hunting · low
detecting-process-hollowing-technique
threat hunting · low
detecting-s3-data-exfiltration-attempts
cloud security · low
detecting-secure-boot-bypass
hardware firmware security · low
detecting-serverless-function-injection
cloud security · low
detecting-service-account-abuse
threat hunting · low
detecting-shadow-api-endpoints
api security · medium
detecting-shadow-it-cloud-usage
cloud security · low
detecting-stuxnet-style-attacks
ot ics security · medium
detecting-suspicious-oauth-application-consent
cloud security · low
detecting-suspicious-powershell-execution
threat hunting · low
detecting-t1055-process-injection-with-sysmon
threat hunting · low
detecting-t1548-abuse-elevation-control-mechanism
threat hunting · low
detecting-wmi-persistence
threat hunting · low
Electronic Funds Transfer: Wire Transfer
phishing defense · medium
emulating-cloud-attacks-with-stratus-red-team
cloud security · low
enumerating-cloud-with-cloudfox
cloud security · low
executing-active-directory-attack-simulation
penetration testing · medium
executing-red-team-engagement-planning
red teaming · high
executing-red-team-exercise
penetration testing · medium
exploiting-active-directory-certificate-services-esc1
red teaming · high
exploiting-active-directory-with-bloodhound
red teaming · high
exploiting-adcs-with-certipy
red teaming · high
exploiting-api-injection-vulnerabilities
api security · medium
exploiting-aws-with-pacu
cloud security · low
exploiting-broken-function-level-authorization
api security · medium
exploiting-broken-link-hijacking
web application security · medium
exploiting-constrained-delegation-abuse
red teaming · high
exploiting-deeplink-vulnerabilities
mobile security · low
exploiting-excessive-data-exposure-in-api
api security · medium
exploiting-http-request-smuggling
web application security · medium
exploiting-idor-vulnerabilities
web application security · medium
exploiting-insecure-data-storage-in-mobile
mobile security · low
exploiting-insecure-deserialization
web application security · medium
exploiting-jwt-algorithm-confusion-attack
api security · medium
exploiting-kerberoasting-with-impacket
red teaming · high
exploiting-mass-assignment-in-rest-apis
web application security · medium
exploiting-ms17-010-eternalblue-vulnerability
red teaming · high
exploiting-nopac-cve-2021-42278-42287
red teaming · high
exploiting-nosql-injection-vulnerabilities
web application security · medium
exploiting-oauth-misconfiguration
web application security · medium
exploiting-prototype-pollution-in-javascript
web application security · medium
exploiting-race-condition-vulnerabilities
web application security · medium
exploiting-server-side-request-forgery
web application security · medium
exploiting-sql-injection-vulnerabilities
penetration testing · medium
exploiting-sql-injection-with-sqlmap
web application security · medium
exploiting-template-injection-vulnerabilities
web application security · medium
exploiting-type-juggling-vulnerabilities
web application security · medium
exploiting-vulnerabilities-with-metasploit-framework
vulnerability management · medium
exploiting-websocket-vulnerabilities
web application security · medium
exploiting-zerologon-vulnerability-cve-2020-1472
red teaming · high
fleet-hunting-with-velociraptor
threat hunting · low
hunting-bootkits-in-efi-system-partition
hardware firmware security · low
hunting-evtx-with-chainsaw
threat hunting · low
hunting-for-anomalous-powershell-execution
threat hunting · low
hunting-for-beaconing-with-frequency-analysis
threat hunting · low
hunting-for-cobalt-strike-beacons
threat hunting · low
hunting-for-command-and-control-beaconing
threat hunting · low
hunting-for-data-exfiltration-indicators
threat hunting · low
hunting-for-data-staging-before-exfiltration
threat hunting · low
hunting-for-dcom-lateral-movement
threat hunting · low
hunting-for-dcsync-attacks
threat hunting · low
hunting-for-defense-evasion-via-timestomping
threat hunting · low
hunting-for-dns-based-persistence
threat hunting · low
hunting-for-dns-tunneling-with-zeek
threat hunting · low
hunting-for-domain-fronting-c2-traffic
threat hunting · low
hunting-for-lateral-movement-via-wmi
threat hunting · low
hunting-for-living-off-the-cloud-techniques
threat hunting · low
hunting-for-living-off-the-land-binaries
threat hunting · low
hunting-for-lolbins-execution-in-endpoint-logs
threat hunting · low
hunting-for-ntlm-relay-attacks
threat hunting · low
hunting-for-persistence-mechanisms-in-windows
threat hunting · low
hunting-for-persistence-via-wmi-subscriptions
threat hunting · low
hunting-for-process-injection-techniques
threat hunting · low
hunting-for-registry-persistence-mechanisms
threat hunting · low
hunting-for-registry-run-key-persistence
threat hunting · low
hunting-for-scheduled-task-persistence
threat hunting · low
hunting-for-shadow-copy-deletion
threat hunting · low
hunting-for-startup-folder-persistence
threat hunting · low
hunting-for-supply-chain-compromise
threat hunting · low
hunting-for-suspicious-scheduled-tasks
threat hunting · low
hunting-for-t1098-account-manipulation
threat hunting · low
hunting-for-unusual-network-connections
threat hunting · low
hunting-for-unusual-service-installations
threat hunting · low
hunting-for-webshell-activity
threat hunting · low
Impersonate Account Holder
phishing defense · medium
Impersonate Account Holder
phishing defense · medium
implementing-api-abuse-detection-with-rate-limiting
api security · medium
implementing-api-gateway-security-controls
api security · medium
implementing-api-key-security-controls
api security · medium
implementing-api-rate-limiting-and-throttling
api security · medium
implementing-api-schema-validation-security
api security · medium
implementing-api-security-posture-management
api security · medium
implementing-api-security-testing-with-42crunch
api security · medium
implementing-api-threat-protection-with-apigee
api security · medium
implementing-aqua-security-for-container-scanning
devsecops · low
implementing-attack-path-analysis-with-xm-cyber
vulnerability management · medium
implementing-aws-config-rules-for-compliance
cloud security · low
implementing-aws-macie-for-data-classification
cloud security · low
implementing-aws-nitro-enclave-security
cloud security · low
implementing-aws-security-hub
cloud security · low
implementing-aws-security-hub-compliance
cloud security · low
implementing-azure-defender-for-cloud
cloud security · low
implementing-cloud-dlp-for-data-protection
cloud security · low
implementing-cloud-security-posture-management
cloud security · low
implementing-cloud-trail-log-analysis
cloud security · low
implementing-cloud-vulnerability-posture-management
vulnerability management · medium
implementing-cloud-waf-rules
cloud security · low
implementing-cloud-workload-protection
cloud security · low
implementing-code-signing-for-artifacts
devsecops · low
implementing-conduit-security-for-ot-remote-access
ot ics security · medium
implementing-continuous-security-validation-with-bas
vulnerability management · medium
implementing-dmarc-dkim-spf-email-security
phishing defense · medium
implementing-dragos-platform-for-ot-monitoring
ot ics security · medium
implementing-email-sandboxing-with-proofpoint
phishing defense · medium
implementing-epss-score-for-vulnerability-prioritization
vulnerability management · medium
implementing-fuzz-testing-in-cicd-with-aflplusplus
devsecops · low
implementing-gcp-binary-authorization
cloud security · low
implementing-gcp-organization-policy-constraints
cloud security · low
implementing-gcp-vpc-firewall-rules
cloud security · low
implementing-github-advanced-security-for-code-scanning
devsecops · low
implementing-ics-firewall-with-tofino
ot ics security · medium
implementing-iec-62443-security-zones
ot ics security · medium
implementing-infrastructure-as-code-security-scanning
devsecops · low
implementing-mobile-application-management
mobile security · low
implementing-nerc-cip-compliance-controls
ot ics security · medium
implementing-network-segmentation-for-ot
ot ics security · medium
implementing-ot-incident-response-playbook
ot ics security · medium
implementing-ot-network-traffic-analysis-with-nozomi
ot ics security · medium
implementing-patch-management-for-ot-systems
ot ics security · medium
implementing-patch-management-workflow
vulnerability management · medium
implementing-policy-as-code-with-open-policy-agent
devsecops · low
implementing-purdue-model-network-segmentation
ot ics security · medium
implementing-rapid7-insightvm-for-scanning
vulnerability management · medium
implementing-secret-scanning-with-gitleaks
devsecops · low
implementing-secrets-management-with-vault
cloud security · low
implementing-secrets-scanning-in-ci-cd
devsecops · low
implementing-semgrep-for-custom-sast-rules
devsecops · low
implementing-vulnerability-management-with-greenbone
vulnerability management · medium
implementing-vulnerability-remediation-sla
vulnerability management · medium
implementing-vulnerability-sla-breach-alerting
vulnerability management · medium
implementing-web-application-logging-with-modsecurity
web application security · medium
implementing-zero-trust-in-cloud
cloud security · low
implementing-zero-trust-network-access
cloud security · low
integrating-dast-with-owasp-zap-in-pipeline
devsecops · low
integrating-sast-into-github-actions-pipeline
devsecops · low
intercepting-mobile-traffic-with-burpsuite
mobile security · low
mapping-attack-paths-with-bloodhound-ce
red teaming · high
moving-laterally-with-netexec
penetration testing · medium
operating-havoc-c2
red teaming · high
operating-sliver-c2
red teaming · high
performing-active-directory-bloodhound-analysis
red teaming · high
performing-active-directory-penetration-test
penetration testing · medium
performing-active-directory-vulnerability-assessment
vulnerability management · medium
performing-agentless-vulnerability-scanning
vulnerability management · medium
performing-android-app-static-analysis-with-mobsf
mobile security · low
performing-api-fuzzing-with-restler
api security · medium
performing-api-inventory-and-discovery
api security · medium
performing-api-rate-limiting-bypass
api security · medium
performing-api-security-testing-with-postman
api security · medium
performing-asset-criticality-scoring-for-vulns
vulnerability management · medium
performing-authenticated-scan-with-openvas
vulnerability management · medium
performing-authenticated-vulnerability-scan
vulnerability management · medium
performing-aws-account-enumeration-with-scout-suite
cloud security · low
performing-aws-privilege-escalation-assessment
cloud security · low
performing-blind-ssrf-exploitation
web application security · medium
performing-clickjacking-attack-test
web application security · medium
performing-cloud-asset-inventory-with-cartography
cloud security · low
performing-cloud-forensics-with-aws-cloudtrail
cloud security · low
performing-cloud-log-forensics-with-athena
cloud security · low
performing-cloud-native-forensics-with-falco
cloud security · low
performing-cloud-native-threat-hunting-with-aws-detective
cloud security · low
performing-cloud-penetration-testing-with-pacu
cloud security · low
performing-container-image-hardening
devsecops · low
performing-content-security-policy-bypass
web application security · medium
performing-csrf-attack-simulation
web application security · medium
performing-cve-prioritization-with-kev-catalog
vulnerability management · medium
performing-directory-traversal-testing
web application security · medium
performing-dmarc-policy-enforcement-rollout
phishing defense · medium
performing-dynamic-analysis-of-android-app
mobile security · low
performing-external-network-penetration-test
penetration testing · medium
performing-gcp-penetration-testing-with-gcpbucketbrute
cloud security · low
performing-gcp-security-assessment-with-forseti
cloud security · low
performing-graphql-depth-limit-attack
api security · medium
performing-graphql-introspection-attack
api security · medium
performing-graphql-security-assessment
web application security · medium
performing-http-parameter-pollution-attack
web application security · medium
performing-ics-asset-discovery-with-claroty
ot ics security · medium
performing-ios-app-security-assessment
mobile security · low
performing-iot-security-assessment
penetration testing · medium
performing-jwt-none-algorithm-attack
api security · medium
performing-kerberoasting-attack
red teaming · high
performing-lateral-movement-with-wmiexec
red teaming · high
performing-mobile-app-certificate-pinning-bypass
mobile security · low
performing-oil-gas-cybersecurity-assessment
ot ics security · medium
performing-open-source-intelligence-gathering
red teaming · high
performing-ot-network-security-assessment
ot ics security · medium
performing-ot-vulnerability-assessment-with-claroty
ot ics security · medium
performing-ot-vulnerability-scanning-safely
ot ics security · medium
performing-physical-intrusion-assessment
red teaming · high
performing-plc-firmware-security-analysis
ot ics security · medium
performing-power-grid-cybersecurity-assessment
ot ics security · medium
performing-privilege-escalation-assessment
penetration testing · medium
performing-privilege-escalation-on-linux
red teaming · high
performing-s7comm-protocol-security-analysis
ot ics security · medium
performing-sca-dependency-scanning-with-snyk
devsecops · low
performing-scada-hmi-security-assessment
ot ics security · medium
performing-second-order-sql-injection
web application security · medium
performing-security-headers-audit
web application security · medium
performing-serverless-function-security-review
cloud security · low
performing-soap-web-service-security-testing
api security · medium
performing-subdomain-enumeration-with-subfinder
web application security · medium
performing-thick-client-application-penetration-test
penetration testing · medium
performing-threat-hunting-with-yara-rules
threat hunting · low
performing-threat-modeling-with-owasp-threat-dragon
devsecops · low
performing-vulnerability-scanning-with-nessus
penetration testing · medium
performing-web-application-firewall-bypass
web application security · medium
performing-web-application-penetration-test
penetration testing · medium
performing-web-application-scanning-with-nikto
vulnerability management · medium
performing-web-application-vulnerability-triage
vulnerability management · medium
performing-web-cache-deception-attack
web application security · medium
performing-web-cache-poisoning-attack
web application security · medium
performing-wireless-network-penetration-test
penetration testing · medium
Phone Number Spoofing: Official Phone Number Spoofing
red teaming · high
prioritizing-vulnerabilities-with-cvss-scoring
vulnerability management · medium
relaying-ntlm-for-adcs-esc8
red teaming · high
remediating-s3-bucket-misconfiguration
cloud security · low
reverse-engineering-ios-app-with-frida
mobile security · low
scanning-containers-with-trivy-in-cicd
devsecops · low
scanning-iac-and-images-with-trivy
devsecops · low
scanning-infrastructure-with-nessus
vulnerability management · medium
securing-api-gateway-with-aws-waf
cloud security · low
securing-aws-lambda-execution-roles
cloud security · low
securing-azure-with-microsoft-defender
cloud security · low
securing-container-registry-images
cloud security · low
securing-github-actions-workflows
devsecops · low
securing-historian-server-in-ot-environment
ot ics security · medium
securing-kubernetes-on-cloud
cloud security · low
securing-remote-access-to-ot-environment
ot ics security · medium
securing-serverless-functions
cloud security · low
testing-android-intents-for-vulnerabilities
mobile security · low
testing-api-authentication-weaknesses
api security · medium
testing-api-for-broken-object-level-authorization
api security · medium
testing-api-for-mass-assignment-vulnerability
api security · medium
testing-api-security-with-owasp-top-10
web application security · medium
testing-cors-misconfiguration
web application security · medium
testing-for-broken-access-control
web application security · medium
testing-for-business-logic-vulnerabilities
web application security · medium
testing-for-email-header-injection
web application security · medium
testing-for-host-header-injection
web application security · medium
testing-for-json-web-token-vulnerabilities
web application security · medium
testing-for-open-redirect-vulnerabilities
web application security · medium
testing-for-sensitive-data-exposure
web application security · medium
testing-for-xml-injection-vulnerabilities
web application security · medium
testing-for-xss-vulnerabilities
penetration testing · medium
testing-for-xss-vulnerabilities-with-burpsuite
web application security · medium
testing-for-xxe-injection-vulnerabilities
web application security · medium
testing-jwt-token-security
web application security · medium
testing-mobile-api-authentication
mobile security · low
testing-oauth2-implementation-flaws
api security · medium
testing-websocket-api-security
api security · medium
Transfer of funds
threat hunting · low
triaging-vulnerabilities-with-ssvc-framework
vulnerability management · medium
Use Alternate Authentication Material: Application Access Token
cloud security · low
Use Alternate Authentication Material: Application Access Token
cloud security · low
validating-tpm-measured-boot-attestation
hardware firmware security · low
© 2026 Casky.AI, Inc. · AI Security Investigation