Coverage: 4 infrastructure vulnerabilities across 7-Zip, KubeVirt, WSO2 API Manager, and Apache Airflow | Highest CVSS: 8.5 | Date: June 26–27, 2026
7-Zip 26.02 — Multiple Bugs and Vulnerabilities Patched
Software affected: 7-Zip versions prior to 26.02 — one of the most widely deployed compression tools on Windows and cross-platform.
Status: 7-Zip 26.02 patches multiple bugs and vulnerabilities. Specific CVE identifiers and technical details have not been disclosed by the developer. 7-Zip vulnerabilities have historically been exploited by threat actors to deliver malware via malicious archives — the tool’s ubiquity on Windows endpoints makes it an attractive vector. The lack of disclosed CVE details means organisations cannot perform targeted risk assessment, making universal updating the only safe approach.
Fix: Update to 7-Zip 26.02. Deploy via endpoint management for enterprise environments.
KubeVirt CVE-2026-13325 — Migration Proxy Plain TCP on All Interfaces (CVSS 8.5)
Software affected: KubeVirt — Kubernetes virtualization add-on for running VMs on Kubernetes clusters.
CVE: CVE-2026-13325 | CVSS 8.5 (HIGH) | CWE-306 Missing Authentication | When spec.configuration.migrations.disableTLS is set to true, the target virt-handler binds a plain TCP listener on 0.0.0.0/:: (all interfaces) on a random port with no authentication. Virtual machine memory contents — including credentials, application data, and secrets — are transmitted over this unauthenticated TCP connection during live migration.
Fix: Apply KubeVirt patch. Do not disable TLS for VM migrations unless absolutely necessary and only in fully isolated network environments.
WSO2 API Manager CVE-2026-2053 — SSRF via WS-Addressing Headers (CVSS 8.3)
Software affected: WSO2 API Manager — widely deployed API gateway and management platform.
CVE: CVE-2026-2053 | CVSS 8.3 (HIGH) | CWE-918 SSRF | The message flow component does not sufficiently validate WS-Addressing headers, allowing attackers to manipulate these headers to target internal services. SSRF in an API gateway is particularly dangerous — it can expose internal services, cloud metadata endpoints (e.g., AWS 169.254.169.254), and backend systems that the gateway is designed to protect.
Fix: Apply WSO2 advisory WSO2-2026-5072.
Apache Airflow CVE-2026-49486 — FTPSHook Data Channel Cleartext (CVSS 7.5)
Software affected: Apache Airflow — popular workflow orchestration platform. Any deployment using the FTPSHook for file transfers.
CVE: CVE-2026-49486 | CVSS 7.5 (HIGH) | CWE-319 Cleartext Transmission | The FTPSHook.get_conn() method creates an ftplib.FTP_TLS connection — which encrypts the control channel — but never calls prot_p() to encrypt the data channel. Despite the “FTPS” name implying full encryption, all file data is transmitted in cleartext. Any organisation using FTPSHook to transfer sensitive data via Airflow pipelines has been unknowingly exposing that data.
Fix: Fixed in Apache Airflow per GitHub PR #67946. Upgrade Airflow and verify FTPS data channel encryption after the update.
Recommendations
- 7-Zip: Update to 26.02 across all endpoints — prioritise systems that handle archives from external sources.
- KubeVirt: Patch immediately — VM memory exposure via unauthenticated TCP is a critical confidentiality breach.
- WSO2: Apply advisory WSO2-2026-5072 — SSRF in API gateways exposes internal infrastructure.
- Apache Airflow: Upgrade and verify FTPS encryption — audit any data transferred via FTPSHook prior to the fix for potential exposure.
References
- 7-Zip 26.02 Download
- Red Hat: CVE-2026-13325 (KubeVirt)
- WSO2 Advisory WSO2-2026-5072
- Apache Airflow PR #67946 (FTPS Fix)
Part of the Vulnerability Intelligence series on threat-modeling.com. Infrastructure vulnerability roundup covering 4 products. See the June 27, 2026 Vulnerability Intelligence Report for broader context.
