Path Traversal Vulnerability in Apache Airflow Samba Provider
CVE-2026-49818

6.5MEDIUM

Key Information:

Vendor

Apache

Vendor
CVE Published:
9 June 2026

What is CVE-2026-49818?

The Apache Airflow Samba provider contains a vulnerability in the GCSToSambaOperator that permits path traversal. Specifically, the operator improperly joins Google Cloud Storage (GCS) object names to the SMB destination path without validating the containment of these paths. This oversight allows an attacker with write access to the GCS bucket to leverage specially crafted object names containing ../ segments, potentially leading to arbitrary file writes on the Samba target. It is crucial to upgrade to version 4.12.6 or later of the apache-airflow-providers-samba to ensure that the resolved destination paths remain within the intended destination_path.

Affected Version(s)

Apache Airflow Samba provider 0 < 4.12.6

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

secuholic
Jarek Potiuk
.