CVE-2026-49818
Description
Apache Airflow Samba provider's GCSToSambaOperator allows arbitrary file writes via path traversal in object names.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Airflow Samba provider's GCSToSambaOperator allows arbitrary file writes via path traversal in object names.
Vulnerability
The GCSToSambaOperator in the Apache Airflow Samba provider versions prior to 4.12.6 joins GCS object names to the SMB destination path without proper validation. This allows crafted object names containing ../ segments to resolve a write path outside the configured destination_path.
Exploitation
An attacker who can write objects into the source GCS bucket can create an object with a name containing ../ segments. When the GCSToSambaOperator processes this object, it will resolve the destination path outside the intended directory on the Samba target, leading to an arbitrary file write.
Impact
Successful exploitation allows an attacker to write files to arbitrary locations on the Samba target system. This could lead to the overwriting of critical system files or the placement of malicious files, potentially resulting in further compromise.
Mitigation
Upgrade the apache-airflow-providers-samba package to version 4.12.6 or later. This version includes a fix that normalizes the resolved path and refuses to write when it falls outside the destination_path [1].
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=4.12.6
Patches
1bc1df029af15Validate GCSToSambaOperator destination path stays within destination_path (#67857)
2 files changed · +43 −1
providers/samba/src/airflow/providers/samba/transfers/gcs_to_samba.py+11 −1 modified@@ -177,7 +177,17 @@ def _resolve_destination_path(self, source_object: str, prefix: str | None = Non source_object = os.path.relpath(source_object, start=prefix) else: source_object = os.path.basename(source_object) - return os.path.join(self.destination_path, source_object) + # Source object names come from the GCS bucket and may contain ".." segments. + # Normalize the joined path and make sure it stays within destination_path so a + # crafted object name cannot resolve a write target outside the configured directory. + resolved = os.path.normpath(os.path.join(self.destination_path, source_object)) + base = os.path.normpath(self.destination_path) + if resolved != base and not resolved.startswith(base + os.sep): + raise ValueError( + f"Resolved destination path {resolved!r} is outside the configured " + f"destination_path {base!r}; refusing to write outside it." + ) + return resolved def _copy_single_object( self,
providers/samba/tests/unit/samba/transfers/test_gcs_to_samba.py+32 −0 modified@@ -370,3 +370,35 @@ def test_execute_more_than_one_wildcard_exception(self, samba_hook_mock, gcs_hoo ) with pytest.raises(AirflowException): operator.execute(None) + + @pytest.mark.parametrize( + "source_object", + [ + "../../victim_area/payload", + "../escape", + "subdir/../../escape", + ], + ) + def test_resolve_destination_path_rejects_traversal(self, source_object): + operator = GCSToSambaOperator( + task_id=TASK_ID, + source_bucket=TEST_BUCKET, + source_object=source_object, + destination_path=DESTINATION_SMB, + gcp_conn_id=GCP_CONN_ID, + samba_conn_id=SAMBA_CONN_ID, + ) + with pytest.raises(ValueError, match="outside the configured"): + operator._resolve_destination_path(source_object) + + def test_resolve_destination_path_allows_contained_object(self): + operator = GCSToSambaOperator( + task_id=TASK_ID, + source_bucket=TEST_BUCKET, + source_object="dir/file.txt", + destination_path=DESTINATION_SMB, + gcp_conn_id=GCP_CONN_ID, + samba_conn_id=SAMBA_CONN_ID, + ) + resolved = operator._resolve_destination_path("dir/file.txt") + assert resolved == os.path.join(DESTINATION_SMB, "dir/file.txt")
Vulnerability mechanics
Root cause
"The Samba provider's GCSToSambaOperator joined GCS object names to the SMB destination path without a containment check."
Attack vector
An attacker must be able to write objects into the source GCS bucket. When the `GCSToSambaOperator` runs, it joins the GCS object name to the configured `destination_path`. If the object name contains `../` segments, it can resolve a write path outside the intended `destination_path` on the Samba target.
Affected code
The vulnerability exists in the `GCSToSambaOperator._resolve_destination_path` method within `providers/samba/src/airflow/providers/samba/transfers/gcs_to_samba.py`. The patch modifies this method to include path normalization and validation [patch_id=5322842].
What the fix does
The patch normalizes the joined destination path and verifies that it remains within the configured `destination_path`. If the resolved path attempts to write outside the intended directory, a `ValueError` is raised, preventing the operation. This ensures that crafted object names cannot be used to write files to arbitrary locations on the Samba target [patch_id=5322842].
Preconditions
- inputThe attacker must be able to write objects into the source GCS bucket.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.