CVE-2026-49818

MEDIUM 6.5

Apache Airflow Samba provider: Path traversal in GCSToSambaOperator via GCS object names

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

5th

The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB destination path without a containment check, so an object named with `../` segments resolved a write path outside the configured `destination_path`. An attacker able to write objects into the source GCS bucket — typically an external data producer distinct from the trusted DAG author — could write files to arbitrary locations on the Samba target when the operator ran. Upgrade apache-airflow-providers-samba to 4.12.6 or later, which validates the resolved destination stays within `destination_path`.

CWE	CWE-22
Vendor	apache software foundation
Product	apache airflow samba provider
Published	Jun 9, 2026
Last Updated	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow samba provider

Be the first to know when new medium vulnerabilities affecting apache software foundation apache airflow samba provider are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow Samba provider

0 < 4.12.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/apache/airflow/pull/67857 lists.apache.org: https://lists.apache.org/thread/3vs0m3p51psgf54tts18d6336g24x3sf openwall.com: http://www.openwall.com/lists/oss-security/2026/06/09/8

Credits

secuholic Jarek Potiuk