Apache Airflow Samba provider: Path traversal in GCSToSambaOperator via GCS...

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB destination path without a containment check, so an object named with `../` segments resolved a write path outside the configured `destination_path`. An attacker able to write objects into the source GCS bucket — typically an external data producer distinct from the trusted DAG author — could write files to arbitrary locations on the Samba target when the operator ran. Upgrade apache-airflow-providers-samba to 4.12.6 or later, which validates the resolved destination stays within `destination_path`.

Basic Information

ID CVE-2026-49818

Source apache

Published Jun 9, 2026 at 07:42

Modified Jun 9, 2026 at 15:27

Affected Product

Vendor Apache Software Foundation

Product Apache Airflow Samba provider

Affected Versions Apache Software Foundation Apache Airflow Samba provider 0

CWE Classification

CWE-22

References

{
    "lastseen": "",
    "description": "The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB destination path without a containment check, so an object named with `../` segments resolved a write path outside the configured `destination_path`. An attacker able to write objects into the source GCS bucket \u2014 typically an external data producer distinct from the trusted DAG author \u2014 could write files to arbitrary locations on the Samba target when the operator ran. Upgrade apache-airflow-providers-samba to 4.12.6 or later, which validates the resolved destination stays within `destination_path`.",
    "published": "2026-06-09T07:42:48.028Z",
    "modified": "2026-06-09T15:27:06.709Z",
    "type": "cve",
    "title": "Apache Airflow Samba provider: Path traversal in GCSToSambaOperator via GCS object names",
    "source": "apache",
    "references": "https://github.com/apache/airflow/pull/67857\nhttps://lists.apache.org/thread/3vs0m3p51psgf54tts18d6336g24x3sf",
    "id": "CVE-2026-49818",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Airflow Samba provider 0",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Airflow Samba provider",
    "version": "0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Apache Airflow Samba provider: Path traversal in GCSToSambaOperator via GCS object names_CVE-2026-49818