What is GHSA-f6vj-48fm-hmvx?

GHSA-f6vj-48fm-hmvx is a security advisory published by GitHub Security Advisories with Medium severity. The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB...

Which CVE IDs does GHSA-f6vj-48fm-hmvx cover?

GHSA-f6vj-48fm-hmvx covers the following CVE IDs: CVE-2026-49818. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-f6vj-48fm-hmvx?

GHSA-f6vj-48fm-hmvx has a CVSS v3 base score of 6.5, published by GitHub Security Advisories.

GHSA-f6vj-48fm-hmvxMediumCVSS 6.5

The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB...

Vendor

GitHub Security Advisories

Published

June 9, 2026

Last Modified

June 9, 2026

🔗 CVE IDs covered (1)

CVE-2026-49818 →

📋 Description

The Apache Airflow Samba provider's GCSToSambaOperator joined GCS object names to the SMB destination path without a containment check, so an object named with ../ segments resolved a write path outside the configured destination_path. An attacker able to write objects into the source GCS bucket — typically an external data producer distinct from the trusted DAG author — could write files to arbitrary locations on the Samba target when the operator ran. Upgrade apache-airflow-providers-samba to 4.12.6 or later, which validates the resolved destination stays within destination_path.

🔗 References (5)

https://nvd.nist.gov/vuln/detail/CVE-2026-49818
https://github.com/apache/airflow/pull/67857
https://lists.apache.org/thread/3vs0m3p51psgf54tts18d6336g24x3sf
http://www.openwall.com/lists/oss-security/2026/06/09/8
https://github.com/advisories/GHSA-f6vj-48fm-hmvx