PYSEC-2026-208

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow-providers-samba/PYSEC-2026-208.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-208
Aliases
Published
2026-06-09T09:16:30.443Z
Modified
2026-06-13T10:45:05.285426528Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

The Apache Airflow Samba provider's GCSToSambaOperator joined GCS object names to the SMB destination path without a containment check, so an object named with ../ segments resolved a write path outside the configured destination_path. An attacker able to write objects into the source GCS bucket — typically an external data producer distinct from the trusted DAG author — could write files to arbitrary locations on the Samba target when the operator ran. Upgrade apache-airflow-providers-samba to 4.12.6 or later, which validates the resolved destination stays within destination_path.

References

Affected packages

PyPI / apache-airflow-providers-samba

Package

Name
apache-airflow-providers-samba
View open source insights on deps.dev
Purl
pkg:pypi/apache-airflow-providers-samba

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.12.6

Affected versions

1.*
1.0.0b1
1.0.0b2
1.0.0rc1
1.0.0
1.0.1rc1
1.0.1
2.*
2.0.0rc1
2.0.0rc2
2.0.0
3.*
3.0.0rc1
3.0.0
3.0.1rc1
3.0.1
3.0.2rc1
3.0.2
3.0.3rc1
3.0.3
3.0.4rc1
3.0.4
4.*
4.0.0rc1
4.0.0rc2
4.0.0
4.1.0rc1
4.1.0
4.2.0rc1
4.2.0rc2
4.2.0
4.2.1rc1
4.2.1
4.2.2rc1
4.2.2
4.3.0rc1
4.3.0
4.4.0rc1
4.4.0
4.5.0rc1
4.5.0
4.6.0rc1
4.6.0rc2
4.6.0
4.7.0rc1
4.7.0
4.7.1rc1
4.7.1
4.8.0rc1
4.8.0
4.9.0rc1
4.9.0rc2
4.9.0
4.9.1rc1
4.9.1
4.9.2rc1
4.9.2
4.10.0rc1
4.10.0
4.10.1rc1
4.10.1
4.10.2rc1
4.10.2
4.10.3rc1
4.10.3
4.11.0rc1
4.11.0
4.11.1rc1
4.11.1
4.12.0rc1
4.12.0
4.12.1rc1
4.12.1
4.12.2rc1
4.12.2
4.12.3rc1
4.12.3
4.12.4rc1
4.12.4
4.12.5rc1
4.12.5
4.12.6rc1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow-providers-samba/PYSEC-2026-208.yaml"