CVE-2026-49818
Published:June 09, 2026
Updated:June 11, 2026
The Apache Airflow Samba provider's "GCSToSambaOperator" joined GCS object names to the SMB destination path without a containment check, so an object named with "../" segments resolved a write path outside the configured "destination_path". An attacker able to write objects into the source GCS bucket — typically an external data producer distinct from the trusted DAG author — could write files to arbitrary locations on the Samba target when the operator ran. Upgrade apache-airflow-providers-samba to 4.12.6 or later, which validates the resolved destination stays within "destination_path".
Affected Packages
apache-airflow-providers-samba (CONDA):
Affected version(s) >=1.0.1 <4.12.6Fix Suggestion:
Update to version 4.12.6https://github.com/apache/airflow.git (GITHUB):
Affected version(s) >=providers-samba/1.0.0 <providers-samba/4.12.6Fix Suggestion:
Update to version providers-samba/4.12.6apache-airflow-providers-samba (PYTHON):
Affected version(s) >=1.0.0 <4.12.6Fix Suggestion:
Update to version 4.12.6Related Resources (3)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
EPSS
Base Score:
0.03