Apache Airflow Providers Samba
Monthly
Path traversal in Apache Airflow's Samba provider exposes Samba target file systems to arbitrary write operations when GCSToSambaOperator processes GCS object names containing directory traversal sequences. Disclosed on 2026-06-09 via the oss-security mailing list by Apache committer Jarek Potiuk as a pre-NVD disclosure, the vulnerability enables any party who can influence GCS object names in the source bucket to write files outside the intended destination directory on the Samba share. No public exploit code has been identified at time of analysis, and CVSS scoring is not yet available.
Path traversal in Apache Airflow's Samba provider exposes Samba target file systems to arbitrary write operations when GCSToSambaOperator processes GCS object names containing directory traversal sequences. Disclosed on 2026-06-09 via the oss-security mailing list by Apache committer Jarek Potiuk as a pre-NVD disclosure, the vulnerability enables any party who can influence GCS object names in the source bucket to write files outside the intended destination directory on the Samba share. No public exploit code has been identified at time of analysis, and CVSS scoring is not yet available.