Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-49818 is a medium severity vulnerability with a CVSS score of 6.5. No known exploits currently, and patches are available.
Lower probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
The Apache Airflow Samba provider's GCSToSambaOperator joined GCS object names to the SMB destination path without a containment check, so an object named with ../ segments resolved a write path outside the configured destination_path. An attacker able to write objects into the source GCS bucket — typically an external data producer distinct from the trusted DAG author — could write files to arbitrary locations on the Samba target when the operator ran. Upgrade apache-airflow-providers-samba to 4.12.6 or later, which validates the resolved destination stays within destination_path.
| Vendor | Product |
|---|---|
| Apache | Apache Airflow Providers Samba |
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.