CVE-2026-40861
Path Traversal in Apache Airflow
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | apache-airflow | From 3.2.2 (inc) |
| apache | airflow | From 3.2.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Apache Airflow allows a Dag author to exploit the task log directory by either creating a symlink pointing to an arbitrary file readable by the API server or by supplying a specially crafted task_id containing '..' sequences. These actions cause the FileTaskHandler to resolve log paths outside the intended base log folder, leading to unauthorized reading or overwriting of arbitrary files.
Specifically, the FileTaskHandler._read_from_local method could follow symlinks outside the configured log directory, enabling the log viewer to stream content from arbitrary files, potentially exposing sensitive data. The vulnerability only affects deployments where the worker log folder is shared with the API server.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure or modification of arbitrary files on the server hosting Apache Airflow. An attacker with the ability to create or manipulate task logs can read sensitive files such as configuration files or system files, or overwrite files, potentially compromising system integrity and confidentiality.
The impact is significant in environments where the worker log folder is shared with the API server, as it allows an attacker to bypass intended access controls and access or modify files outside the designated log directory.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if there are symlinks under the task's log directory that point to files outside the configured base log folder, or if task_id values contain '..' sequences that could lead to path traversal.
You can inspect the task log directories for symlinks pointing outside the expected log folder using commands like:
- find /path/to/worker/log/folder -type l -exec ls -l {} \;
- readlink -f /path/to/worker/log/folder/<symlink> # to check the real path the symlink points to
Additionally, review task_id values in your DAGs or logs for suspicious '..' sequences that could be exploited.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Apache Airflow to version 3.2.2 or later, where this vulnerability is fixed.
As a defense-in-depth measure, deploy the worker and API server with separate log volumes to prevent worker-controlled paths from reaching the API server's filesystem.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized reading or overwriting of arbitrary files by exploiting symlinks or specially crafted task IDs, potentially exposing sensitive data stored on the API server's filesystem.
Such unauthorized data exposure or modification could lead to non-compliance with data protection regulations like GDPR or HIPAA, which require strict controls on access to sensitive information.
Mitigations include upgrading to apache-airflow 3.2.2 or later and deploying the worker and API server with separate log volumes to prevent worker-controlled paths from reaching the API server's filesystem.