Skip to content

cryptography and nltk pinned versions block CVE fixes for downstream users #1022

Open
Open
cryptography and nltk pinned versions block CVE fixes for downstream users#1022
@youssef-atelic

Description

@youssef-atelic
youssef-atelic
opened on May 11, 2026

Summary

PyAirbyte's dependency pins prevent downstream projects from resolving several CVEs:

cryptography (pinned >=44.0.0,<45.0.0)

CVE Severity Fix Version Description
CVE-2026-34073 High 46.0.6 Incomplete DNS name constraint enforcement on peer names
CVE-2026-26007 High 46.0.5 Subgroup attack due to missing validation for SECT curves

pyopenssl (CVE-2026-27459, CVE-2026-27448) is also blocked transitively since it requires cryptography>=46.

nltk (pinned ==3.9.1 in airbyte-cdk)

CVE Fix Version Description
CVE-2026-0846 3.9.3 Arbitrary file read via absolute path input
CVE-2025-14009 3.9.3 Zip slip vulnerability
CVE-2026-33231 3.9.4 Unauthenticated remote shutdown in wordnet_app
CVE-2026-33230 3.9.4 XSS in nltk
CVE-2026-0847 No fix Path traversal
CVE-2026-33236 No fix Downloader path traversal (AFO)

Request

Could the cryptography upper bound be relaxed to <47.0.0 (or removed), and the nltk pin in airbyte-cdk be bumped to >=3.9.4? This would allow downstream projects to resolve these CVEs through normal dependency resolution.

Environment

  • PyAirbyte 0.44.1
  • airbyte-cdk 7.17.4
  • Python 3.12

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions