CVE-2026-49818

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-49818
The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB destination path without a containment check, so an object named with `../` segments resolved a write path outside the configured `destination_path`. An attacker able to write objects into the source GCS bucket — typically an external data producer distinct from the trusted DAG author — could write files to arbitrary locations on the Samba target when the operator ran. Upgrade apache-airflow-providers-samba to 4.12.6 or later, which validates the resolved destination stays within `destination_path`.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/apache/airflow/pull/67857 Issue Tracking Patch
https://lists.apache.org/thread/3vs0m3p51psgf54tts18d6336g24x3sf Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/06/09/8 Mailing List Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:apache-airflow-providers-samba:*:*:*:*:*:*:*:*
History

12 Jun 2026, 15:51

Type Values Removed Values Added
References () https://github.com/apache/airflow/pull/67857 - () https://github.com/apache/airflow/pull/67857 - Issue Tracking, Patch
References () https://lists.apache.org/thread/3vs0m3p51psgf54tts18d6336g24x3sf - () https://lists.apache.org/thread/3vs0m3p51psgf54tts18d6336g24x3sf - Mailing List, Vendor Advisory
References () http://www.openwall.com/lists/oss-security/2026/06/09/8 - () http://www.openwall.com/lists/oss-security/2026/06/09/8 - Mailing List, Third Party Advisory
CPE cpe:2.3:a:apache:apache-airflow-providers-samba:*:*:*:*:*:*:*:*
First Time Apache apache-airflow-providers-samba
Apache

09 Jun 2026, 17:17

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.5

09 Jun 2026, 11:16

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2026/06/09/8 -

09 Jun 2026, 09:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-06-09 09:16

Updated : 2026-06-12 15:51

NVD link : CVE-2026-49818

Mitre link : CVE-2026-49818

CVE.ORG link : CVE-2026-49818

JSON object : View

Products Affected

apache

  • apache-airflow-providers-samba
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')