CVE-2026-40861: Apache Airflow Path Traversal – Log Directory Symlink and Directory Escape Vulnerability
CVE-2026-40861 is a path traversal vulnerability in Apache Airflow that allows a DAG (Directed Acyclic Graph) author to read or write arbitrary files on the system when the worker and API server share a log directory. An attacker with DAG authoring privileges can either create symbolic links in their task's log folder to access sensitive files like `/etc/passwd` or `airflow.cfg`, or inject path traversal sequences (`..`) in task IDs to escape the intended log directory. The vulnerability exposes confidential configuration data and could enable file overwrites on the API server's filesystem.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-59
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process (read-path attack — e.g. `/etc/passwd` or `airflow.cfg`) or (b) supply a `task_id` containing `..` sequences accepted by the Task SDK's `KEY_REGEX` (write-path attack), and in both cases the FileTaskHandler resolves the log path outside the configured `base_log_folder`, leaking or overwriting arbitrary files. Only affects deployments where the worker log folder is shared with the API server. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deploy the worker and API server with separate log volumes so that worker-controlled paths cannot reach the API server's filesystem.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The FileTaskHandler in Apache Airflow fails to properly validate and canonicalize log paths when resolving task log locations. Two attack vectors are possible: (1) symlink-based read attacks where a DAG author creates a symlink under their task's log directory that points to an arbitrary file readable by the API server process, and (2) path traversal write attacks where a malicious `task_id` containing `..` sequences passes validation in the Task SDK's `KEY_REGEX` and allows the log path to be resolved outside the configured `base_log_folder`. The vulnerability is specifically triggered in deployments where worker and API server processes share a common log volume, enabling the worker-controlled task paths to reach the API server's filesystem. The root cause is insufficient path sanitization prior to file operations.
Business impact
This vulnerability poses a confidentiality and integrity risk to Airflow deployments. Attackers with DAG authoring permissions can exfiltrate sensitive configuration files (such as `airflow.cfg` containing database credentials, SMTP settings, or API keys), environment variables, or other application secrets stored on the shared filesystem. Additionally, the write-path attack vector enables attackers to corrupt or modify critical files, potentially disrupting API server operations or gaining lateral movement opportunities. Organizations relying on Airflow for data orchestration face operational disruption and credential compromise if this flaw is exploited.
Affected systems
Apache Airflow versions prior to 3.2.2 are affected. The vulnerability only manifests in deployments where the worker log folder and API server log folder share the same filesystem or volume. Deployments with isolated log storage (worker logs on separate volumes from the API server) are not vulnerable, even if running an older Airflow version.
Exploitability
The vulnerability requires authenticated access as a DAG author, so it is not exploitable by anonymous attackers or users without DAG creation privileges. However, in many Airflow environments, DAG authoring is delegated to data engineers or analytics teams who may not be security-conscious when writing DAGs. The attack is straightforward to execute: symlink creation or path traversal injection requires no special tools or complex techniques. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) reflects a MEDIUM severity score driven by the high confidentiality impact and low attack complexity, mitigated by the requirement for low-privilege authenticated access and a shared log directory prerequisite.
Remediation
Upgrade Apache Airflow to version 3.2.2 or later immediately. This patch version includes enhanced path validation and canonicalization in the FileTaskHandler to prevent both symlink resolution and path traversal attacks. As a defense-in-depth measure independent of patching, deploy the worker and API server processes with separate log volumes so that any path manipulation by task code cannot reach the API server's filesystem. Additionally, restrict DAG authoring permissions to trusted users and audit existing DAGs for suspicious symlink creation or malformed task IDs.
Patch guidance
Apply the upgrade to Apache Airflow 3.2.2 or later as soon as possible. Verify the patch version against the official Apache Airflow release notes. If immediate patching is not feasible due to operational constraints, implement the defense-in-depth mitigation of using separate log volumes for workers and API servers. This architectural change eliminates the attack surface without requiring a code upgrade, though the underlying vulnerability would remain present in the software until upgraded.
Detection guidance
Monitor for suspicious DAG code patterns, particularly: (1) DAG definitions that create symlinks in task log directories, and (2) task IDs containing `..` sequences or other path traversal indicators. Review audit logs for unexpected file access attempts in shared log directories. Examine filesystem access patterns and check for unauthorized reads of sensitive files like `airflow.cfg`, `webserver_config.py`, or system files like `/etc/passwd`. If SIEM tools are available, correlate file access events with Airflow task execution timelines to identify anomalous activity.
Why prioritize this
Although the CVSS score is MEDIUM, this vulnerability should be prioritized for patching in the near term due to the ease of exploitation by insiders with DAG authoring permissions and the high sensitivity of data that can be leaked (database credentials, API keys, configuration secrets). Organizations where data engineers or analytics teams have broad DAG authoring access face elevated risk. Conversely, if DAG authoring is tightly controlled or log volumes are already segregated, the urgency is lower. Assess your deployment architecture and access controls when determining patch timing.
Risk score, explained
The CVSS 3.1 score of 6.5 reflects a MEDIUM severity assessment. The high confidentiality impact (C:H) reflects the potential to leak sensitive configuration and secrets. The integrity impact is marked as none (I:N) in the vector because the primary concern is the read-path attack; however, the write-path attack does enable integrity violations, and this should be considered during risk assessment. The authentication requirement (PR:L) and absence of user interaction (UI:N) keep the exploitability moderate. The vulnerability is network-accessible (AV:N) and does not require changing scope (S:U). Organizations should adjust their internal risk rating based on the sensitivity of data in shared log directories and the breadth of DAG authoring privileges in their Airflow deployment.
Frequently asked questions
Does this vulnerability affect Airflow deployments where worker and API server logs are stored on separate volumes?
No. The vulnerability specifically requires that the worker log folder and API server log folder share a common filesystem or volume. If your deployment uses separate storage for worker logs and API server logs (e.g., distinct volumes, NFS mounts, or object storage), you are not vulnerable to this issue even if running an affected version.
Can an unauthenticated user exploit this vulnerability?
No. The vulnerability requires the attacker to be authenticated as a DAG author with permission to create or modify DAGs. Anonymous or non-DAG-authoring users cannot exploit this flaw.
What files are at risk of being leaked?
Any file readable by the API server process can potentially be leaked. This typically includes `airflow.cfg` (which often contains database passwords, SMTP credentials, and API keys), `webserver_config.py`, secret files, environment configuration, and in some setups, system files like `/etc/passwd` if the API server runs with elevated permissions.
Is there a workaround if we cannot upgrade immediately?
Yes. Implement the defense-in-depth mitigation by deploying your worker and API server processes with separate log volumes or filesystems. This architectural change eliminates the attack surface without requiring a software upgrade. Additionally, audit and restrict DAG authoring permissions to trusted users only, and monitor for suspicious DAG code patterns.
This analysis is based on publicly available information from the CVE record and vendor advisories as of the publication date. Security advisories and patch versions are subject to change; always verify against official Apache Airflow release notes and security bulletins before deploying patches. This document does not constitute legal advice or a warranty of fitness for any particular use. Organizations should conduct their own risk assessment based on their specific Airflow deployment architecture, access controls, and data sensitivity. No exploit code or weaponized proof-of-concept is provided in this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11322MEDIUMHermes WebUI Path Traversal Vulnerability – Credential Exposure Risk
- CVE-2026-41236HIGHFroxlor 2.3.6 Symlink Privilege Escalation to Root
- CVE-2025-48977MEDIUMApache Ignite REST API Path Traversal – Authenticated File Read Vulnerability
- CVE-2026-40914MEDIUMApache Artemis STOMP Protocol Authorization Bypass
- CVE-2026-41014MEDIUMApache Airflow Unauthorized DAG Access via Asset Permissions
- CVE-2026-41017MEDIUMApache Airflow JWT Cookie Secure Flag Bypass
- CVE-2026-41115MEDIUMApache Kafka CONSUMER_GROUP_DESCRIBE Authorization Documentation Mismatch
- CVE-2026-42253MEDIUMApache ActiveMQ Header Injection XSS Vulnerability