Description
The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB destination path without a containment check, so an object named with `../` segments resolved a write path outside the configured `destination_path`. An attacker able to write objects into the source GCS bucket — typically an external data producer distinct from the trusted DAG author — could write files to arbitrary locations on the Samba target when the operator ran. Upgrade apache-airflow-providers-samba to 4.12.6 or later, which validates the resolved destination stays within `destination_path`.
Published: 2026-06-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The GCSToSambaOperator concatenates GCS object names into the SMB destination path without ensuring the resulting path stays inside the configured directory, allowing an object name containing "../" segments to escape the intended directory and overwrite or create files at arbitrary locations on the Samba target, which can lead to data loss or service disruption.

Affected Systems

All installations of the Apache Airflow Samba provider before version 4.12.6 are affected; the vulnerability exists in the GCSToSambaOperator component used when transferring objects from Google Cloud Storage to a Samba share.

Risk and Exploitability

The vulnerability is not listed in CISA KEV. The EPSS score is less than 1%, indicating a low but non-zero probability of exploitation. The path traversal allows an attacker who can write objects into the source GCS bucket to access arbitrary locations on the Samba target when the GCSToSambaOperator runs, potentially leading to unauthorized data modification, overwrites, or denial of service.

Generated by OpenCVE AI on June 9, 2026 at 21:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to apache-airflow-providers-samba 4.12.6 or later.
  • Restrict write access to the source GCS bucket so that only trusted DAG authors can upload objects.
  • Implement monitoring on the Samba target to detect unexpected file modifications.

Generated by OpenCVE AI on June 9, 2026 at 21:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Tue, 09 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
References

Tue, 09 Jun 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow Samba Provider
Vendors & Products Apache
Apache airflow Samba Provider

Tue, 09 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB destination path without a containment check, so an object named with `../` segments resolved a write path outside the configured `destination_path`. An attacker able to write objects into the source GCS bucket — typically an external data producer distinct from the trusted DAG author — could write files to arbitrary locations on the Samba target when the operator ran. Upgrade apache-airflow-providers-samba to 4.12.6 or later, which validates the resolved destination stays within `destination_path`.
Title Apache Airflow Samba provider: Path traversal in GCSToSambaOperator via GCS object names
Weaknesses CWE-22
References

Subscriptions

Apache Airflow Samba Provider
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-10T17:37:57.296Z

Reserved: 2026-06-01T17:37:44.180Z

Link: CVE-2026-49818

cve-icon Vulnrichment

Updated: 2026-06-09T11:03:31.617Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T09:16:30.443

Modified: 2026-06-09T17:17:47.530

Link: CVE-2026-49818

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T21:45:05Z

Weaknesses