CVE-2026-40861 | A Dag author could either (a) create a symlink under their t… | CVSS 6.5 MEDIUM

Description

A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process (read-path attack — e.g. `/etc/passwd` or `airflow.cfg`) or (b) supply a `task_id` containing `..` sequences accepted by the Task SDK's `KEY_REGEX` (write-path attack), and in both cases the FileTaskHandler resolves the log path outside the configured `base_log_folder`, leaking or overwriting arbitrary files. Only affects deployments where the worker log folder is shared with the API server. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deploy the worker and API server with separate log volumes so that worker-controlled paths cannot reach the API server's filesystem.

Metadata

CVE ID: CVE-2026-40861
State: PUBLISHED
Assigner: apache
Reserved: 2026-04-15 13:58 UTC
Published: 2026-06-01 07:55 UTC
Last updated: 2026-06-02 16:42 UTC
Primary CWE: CWE-59
CWE-59: Improper Link Resolution Before File Access ('Link F…
Vendor / Product: Apache Software Foundation / Apache Airflow
Sources: cve.org · NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Apache Software Foundation	Apache Airflow	—	0 < 3.2.2

Weakness (CWE)

CWE	Source	Description
CWE-59	cna	CWE-59: Improper Link Resolution Before File Access ('Link Following')

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.5	MEDIUM	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (2)