CVE-2026-40861

Published: Giu 01, 2026 Last Modified: Giu 01, 2026
ExploitDB:
Other exploit source:
Google Dorks:

Description

AI Translation Available

A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process (read-path attack — e.g. `/etc/passwd` or `airflow.cfg`) or (b) supply a `task_id` containing `..` sequences accepted by the Task SDK's `KEY_REGEX` (write-path attack), and in both cases the FileTaskHandler resolves the log path outside the configured `base_log_folder`, leaking or overwriting arbitrary files. Only affects deployments where the worker log folder is shared with the API server. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deploy the worker and API server with separate log volumes so that worker-controlled paths cannot reach the API server's filesystem.

59

Improper Link Resolution Before File Access ('Link Following')

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Access Control Other
Potential Impacts:
Read Files Or Directories Modify Files Or Directories Bypass Protection Mechanism Execute Unauthorized Code Or Commands
Applicable Platforms
Operating Systems: Windows, Unix
Likelihood of Exploit: Medium
View CWE Details
http://www.openwall.com/lists/oss-security/2026/05/31/1
http://www.openwall.com/lists/oss-security/2026/05/31/1
https://github.com/apache/airflow/pull/65325
https://github.com/apache/airflow/pull/65325
https://lists.apache.org/thread/823334db2559xjlwt59gpzjz47t…
https://lists.apache.org/thread/823334db2559xjlwt59gpzjz47thnscl