CVE-2026-40861

6.5 MEDIUM

A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server ...

Published: 2026-06-01 · Last updated: 2026-06-02

Severity and scoring

CVSS: 6.5 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-59

Affected products

Vendor	Product
apache	airflow

Description

A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process (read-path attack — e.g. `/etc/passwd` or `airflow.cfg`) or (b) supply a `task_id` containing `..` sequences accepted by the Task SDK's `KEY_REGEX` (write-path attack), and in both cases the FileTaskHandler resolves the log path outside the configured `base_log_folder`, leaking or overwriting arbitrary files. Only affects deployments where the worker log folder is shared with the API server. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deploy the worker and API server with separate log volumes so that worker-controlled paths cannot reach the API server's filesystem.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-40861
[Patch]https://github.com/apache/airflow/pull/65325
[Vendor advisory]https://lists.apache.org/thread/823334db2559xjlwt59gpzjz47thnscl
[Other]http://www.openwall.com/lists/oss-security/2026/05/31/1

Related CVEs

Same vendor

CVE-2026-50645 — There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can l... (7.5 HIGH)
CVE-2026-50634 — A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticate... (6.5 MEDIUM)
CVE-2026-50633 — A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an atta... (8.1 HIGH)
CVE-2026-50632 — A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been ide... (8.1 HIGH)
CVE-2026-50631 — A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and ... (7.4 HIGH)

Same CWE

CVE-2026-54230 — A symlink following vulnerability was found in the ABRT post-create event handler scripts in libreport (7.0 HIGH)
CVE-2026-54056 — Kitty is a cross-platform GPU based terminal (7.6 HIGH)
CVE-2026-54055 — Kitty is a cross-platform GPU based terminal (5.0 MEDIUM)
CVE-2025-46293 — This issue was addressed with improved handling of symlinks (5.5 MEDIUM)
CVE-2026-45384 — bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files (6.1 MEDIUM)