Skip to main content

Airflow Samba Provider EUVD-2026-35374

| CVE-2026-49818 MEDIUM
Path Traversal (CWE-22)
2026-06-09 GHSA-f6vj-48fm-hmvx
XSS Path Traversal Apache Apache Airflow Providers Samba
6.5
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from Vendor (CNA) · only source for this CVE.

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Jun 09, 2026 - 17:22 NVD
6.5 (MEDIUM)
Patch available
Jun 09, 2026 - 10:01 EUVD
Analysis Generated
Jun 09, 2026 - 08:46 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

Articles & Coverage 1

News Critical Path Traversal in Apache Airflow Samba Provider - CVE-2026-49818 Jun 09, 2026

AnalysisAI

Path traversal in Apache Airflow's Samba provider exposes Samba target file systems to arbitrary write operations when GCSToSambaOperator processes GCS object names containing directory traversal sequences. Disclosed on 2026-06-09 via the oss-security mailing list by Apache committer Jarek Potiuk as a pre-NVD disclosure, the vulnerability enables any party who can influence GCS object names in the source bucket to write files outside the intended destination directory on the Samba share. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain write access to source GCS bucket
Delivery
Upload object with path traversal name (e.g., ../../target/path/file)
Exploit
Airflow DAG triggers GCSToSambaOperator
Execution
Operator constructs destination path without sanitizing object name
Persist
File written to unintended location on Samba share
Impact
Overwrite sensitive files or inject executable content
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to control or influence the name of objects stored in the GCS bucket that serves as the source for a GCSToSambaOperator invocation - either through direct GCS bucket write access or by poisoning an upstream data pipeline stage that deposits objects into the bucket. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector or score is available for this pre-NVD disclosure, making any quantitative risk comparison impossible at this stage. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with write access to the source GCS bucket - or with the ability to influence upstream pipeline stages that populate bucket objects - uploads a file with a crafted name such as `../../airflow/dags/backdoor.py`. When a scheduled or triggered Airflow DAG executes GCSToSambaOperator, the operator builds the destination path without sanitizing the object name, writing the file to the traversed location on the Samba share. …
Remediation No vendor-released patch has been confirmed at time of analysis - this is a pre-NVD, pre-advisory disclosure. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Airflow deployments using GCSToSambaOperator and audit GCS bucket permissions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-35374 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy