Outdated cryptography dependency contains CVE-2026-26007

[MonkeyCanCode]

Hello,

I noticed we are pinned the following for cryptography version which has CVE-2026-26007:

cryptography = ">=44.0.0,<45.0.0"  # Constrained as transitive dependency due to a bug in newer versions

Is there a plan to update this to a newer version?

Thanks,
Yong

---

Internal Tracking: https://github.com/airbytehq/oncall/issues/11849

[devin-ai-integration]

Hi Yong Zheng (@MonkeyCanCode), thank you for reporting this!

You're correct — the cryptography package is currently pinned to >=44.0.0,<45.0.0 in the CDK, and CVE-2026-26007 (CVSS 8.2 HIGH / 6.5 MEDIUM) affects all versions prior to 46.0.5.

CVE-2026-26007 Assessment

What it is: A missing subgroup validation flaw in elliptic curve operations (load_pem_public_key(), public_key_from_numbers(), etc.) that allows small-subgroup attacks on SECT binary elliptic curves. This can leak private key bits via ECDH or enable signature forgery via ECDSA.

Practical impact on Airbyte connectors: The vulnerability only affects SECT binary curves, which are rarely used in real-world applications. Airbyte connectors primarily use standard NIST prime curves (P-256, P-384) for TLS and OAuth — not SECT curves. While the direct exploitation risk to Airbyte users is low, updating the dependency is still the right thing to do from a security hygiene perspective.

Fix: cryptography >= 46.0.5

There was a recent attempt in PR #968 to widen the cryptography range, but the change was reverted due to a compatibility issue with newer versions. The team is aware of the constraint and we've escalated this internally to ensure it gets addressed.

I've created an internal tracking issue for this — the engineering team will evaluate unblocking the upgrade to cryptography >= 46.0.5.

---

Need more help? Join Airbyte Community Slack for peer support, or if you're a Cloud customer, open a support ticket referencing this URL.

[devin-ai-integration]

This issue is being tracked internally: https://github.com/airbytehq/oncall/issues/11849