CVE-2026-49818
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk11th percentile - higher than 11% of all known CVEs
Summary
The Apache Airflow Samba provider's `GCSToSambaOperator` had a flaw that joined GCS object names to the SMB destination path without a containment check. An attacker could exploit `../` segments to write files to arbitrary locations on the Samba target.
Risk Assessment
The organization may be exposed to unauthorized file writes in unintended locations, potentially leading to data leakage or deletion of critical files.
Recommendation
It is recommended to upgrade the apache-airflow-providers-samba package to version 4.12.6 or later to ensure destination path validation.
Original NVD description (English source)
The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB destination path without a containment check, so an object named with `../` segments resolved a write path outside the configured `destination_path`. An attacker able to write objects into the source GCS bucket — typically an external data producer distinct from the trusted DAG author — could write files to arbitrary locations on the Samba target when the operator ran. Upgrade apache-airflow-providers-samba to 4.12.6 or later, which validates the resolved destination stays within `destination_path`.

