{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-49818","assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","state":"PUBLISHED","assignerShortName":"apache","dateReserved":"2026-06-01T17:37:44.180Z","datePublished":"2026-06-09T07:42:48.028Z","dateUpdated":"2026-06-10T17:37:57.296Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://pypi.python.org","defaultStatus":"unaffected","packageName":"apache-airflow-providers-samba","product":"Apache Airflow Samba provider","vendor":"Apache Software Foundation","versions":[{"lessThan":"4.12.6","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"secuholic"},{"lang":"en","type":"remediation developer","value":"Jarek Potiuk"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The Apache Airflow Samba provider&#x27;s `GCSToSambaOperator` joined GCS object names to the SMB destination path without a containment check, so an object named with `../` segments resolved a write path outside the configured `destination_path`. An attacker able to write objects into the source GCS bucket — typically an external data producer distinct from the trusted DAG author — could write files to arbitrary locations on the Samba target when the operator ran. Upgrade apache-airflow-providers-samba to 4.12.6 or later, which validates the resolved destination stays within `destination_path`."}],"value":"The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB destination path without a containment check, so an object named with `../` segments resolved a write path outside the configured `destination_path`. An attacker able to write objects into the source GCS bucket — typically an external data producer distinct from the trusted DAG author — could write files to arbitrary locations on the Samba target when the operator ran. Upgrade apache-airflow-providers-samba to 4.12.6 or later, which validates the resolved destination stays within `destination_path`."}],"metrics":[{"other":{"content":{"text":"moderate"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-22","description":"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2026-06-10T17:37:57.296Z"},"references":[{"tags":["patch"],"url":"https://github.com/apache/airflow/pull/67857"},{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/3vs0m3p51psgf54tts18d6336g24x3sf"}],"source":{"discovery":"UNKNOWN"},"title":"Apache Airflow Samba provider: Path traversal in GCSToSambaOperator via GCS object names","x_generator":{"engine":"airflow-s/generate_cve_json.py"}},"adp":[{"title":"CVE Program Container","references":[{"url":"http://www.openwall.com/lists/oss-security/2026/06/09/8"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2026-06-09T11:03:31.617Z"}},{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":6.5,"attackVector":"NETWORK","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","integrityImpact":"LOW","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"NONE","privilegesRequired":"NONE","confidentialityImpact":"LOW"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-06-09T15:27:01.612337Z","id":"CVE-2026-49818","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-09T15:27:06.709Z"}}]}}