CVE-2026-40861
Analyzed Analyzed - Analysis Complete
Path Traversal in Apache Airflow

Publication date: 2026-06-01

Last updated on: 2026-06-02

Assigner: Apache Software Foundation

Description
A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process (read-path attack β€” e.g. `/etc/passwd` or `airflow.cfg`) or (b) supply a `task_id` containing `..` sequences accepted by the Task SDK's `KEY_REGEX` (write-path attack), and in both cases the FileTaskHandler resolves the log path outside the configured `base_log_folder`, leaking or overwriting arbitrary files. Only affects deployments where the worker log folder is shared with the API server. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deploy the worker and API server with separate log volumes so that worker-controlled paths cannot reach the API server's filesystem.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-02
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-40861
EUVD
EUVD-2026-33598
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache airflow to 3.2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Apache Airflow allows a Dag author to exploit the task log directory by either creating a symlink pointing to an arbitrary file readable by the API server or by supplying a specially crafted task_id containing '..' sequences. These actions cause the FileTaskHandler to resolve log paths outside the intended base log folder, leading to unauthorized reading or overwriting of arbitrary files.

Specifically, the FileTaskHandler._read_from_local method could follow symlinks outside the configured log directory, enabling the log viewer to stream content from arbitrary files, potentially exposing sensitive data. The vulnerability only affects deployments where the worker log folder is shared with the API server.

Impact Analysis

This vulnerability can lead to unauthorized disclosure or modification of arbitrary files on the server hosting Apache Airflow. An attacker with the ability to create or manipulate task logs can read sensitive files such as configuration files or system files, or overwrite files, potentially compromising system integrity and confidentiality.

The impact is significant in environments where the worker log folder is shared with the API server, as it allows an attacker to bypass intended access controls and access or modify files outside the designated log directory.

Detection Guidance

This vulnerability can be detected by checking if there are symlinks under the task's log directory that point to files outside the configured base log folder, or if task_id values contain '..' sequences that could lead to path traversal.

You can inspect the task log directories for symlinks pointing outside the expected log folder using commands like:

  • find /path/to/worker/log/folder -type l -exec ls -l {} \;
  • readlink -f /path/to/worker/log/folder/<symlink> # to check the real path the symlink points to

Additionally, review task_id values in your DAGs or logs for suspicious '..' sequences that could be exploited.

Mitigation Strategies

Immediate mitigation steps include upgrading Apache Airflow to version 3.2.2 or later, where this vulnerability is fixed.

As a defense-in-depth measure, deploy the worker and API server with separate log volumes to prevent worker-controlled paths from reaching the API server's filesystem.

Compliance Impact

This vulnerability allows unauthorized reading or overwriting of arbitrary files by exploiting symlinks or specially crafted task IDs, potentially exposing sensitive data stored on the API server's filesystem.

Such unauthorized data exposure or modification could lead to non-compliance with data protection regulations like GDPR or HIPAA, which require strict controls on access to sensitive information.

Mitigations include upgrading to apache-airflow 3.2.2 or later and deploying the worker and API server with separate log volumes to prevent worker-controlled paths from reaching the API server's filesystem.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40861. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart