{“lastseen”:””,”description”:”The Apache Airflow Samba provider’s `GCSToSambaOperator` joined GCS object names to the SMB destination path without a containment check, so an object named with `..\/` segments resolved a write path outside the configured `destination_path`. An attacker able to write objects into the source GCS bucket \u2014 typically an external data producer distinct from the trusted DAG author \u2014 could write files to arbitrary locations on the Samba target when the operator ran. Upgrade apache-airflow-providers-samba to 4.12.6 or later, which validates the resolved destination stays within `destination_path`.”,”published”:”2026-06-09T07:42:48.028Z”,”modified”:”2026-06-09T15:27:06.709Z”,”type”:”cve”,”title”:”Apache Airflow Samba provider: Path traversal in GCSToSambaOperator via GCS object names”,”source”:”apache”,”references”:”https:\/\/github.com\/apache\/airflow\/pull\/67857\\nhttps:\/\/lists.apache.org\/thread\/3vs0m3p51psgf54tts18d6336g24x3sf”,”id”:”CVE-2026-49818″,”bulletinFamily”:””,”cwe”:[“CWE-22″],”cvelist”:null,”sourceData”:”Apache Software Foundation Apache Airflow Samba provider 0″,”sourceHref”:””,”cvss”:{“score”:6.5,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:L\/I:L\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Apache Airflow Samba provider”,”version”:”0″,”vendor”:”Apache Software Foundation”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”The Apache Airflow Samba provider’s `GCSToSambaOperator` joined GCS object names to the SMB destination path without a containment check, so an object named with `..\/`…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,26,12,21,13,7,11,5],"class_list":["post-61081","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-65","tag-exploit","tag-medium","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n