CVE Catalog

CVE-2026-49818

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.04%

11th percentile - higher than 11% of all known CVEs

Summary

The Apache Airflow Samba provider's `GCSToSambaOperator` had a flaw that joined GCS object names to the SMB destination path without a containment check. An attacker could exploit `../` segments to write files to arbitrary locations on the Samba target.

Risk Assessment

The organization may be exposed to unauthorized file writes in unintended locations, potentially leading to data leakage or deletion of critical files.

Recommendation

It is recommended to upgrade the apache-airflow-providers-samba package to version 4.12.6 or later to ensure destination path validation.

Original NVD description (English source)

The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB destination path without a containment check, so an object named with `../` segments resolved a write path outside the configured `destination_path`. An attacker able to write objects into the source GCS bucket — typically an external data producer distinct from the trusted DAG author — could write files to arbitrary locations on the Samba target when the operator ran. Upgrade apache-airflow-providers-samba to 4.12.6 or later, which validates the resolved destination stays within `destination_path`.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS