CVE-2026-40861 Overview
CVE-2026-40861 is a path traversal and symlink vulnerability in Apache Airflow's FileTaskHandler component. A DAG author can abuse two attack paths against deployments where the worker log folder is shared with the API server. In the read-path attack, the author creates a symbolic link under the task's log directory that points to an arbitrary file readable by the API server process, such as /etc/passwd or airflow.cfg. In the write-path attack, the author supplies a task_id containing .. sequences that are accepted by the Task SDK's KEY_REGEX. In both cases, the resolved log path escapes the configured base_log_folder, leaking or overwriting arbitrary files. The flaw is tracked under CWE-59 (Improper Link Resolution Before File Access).
Critical Impact
Authenticated DAG authors can read sensitive files like airflow.cfg or overwrite arbitrary files accessible to the API server process when worker and API server share a log volume.
Affected Products
- Apache Airflow versions prior to 3.2.2
- Deployments where the worker log folder is shared with the API server
- Components: FileTaskHandler and Task SDK KEY_REGEX validation
Discovery Timeline
- 2026-06-01 - CVE-2026-40861 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-40861
Vulnerability Analysis
The vulnerability resides in how Apache Airflow's FileTaskHandler constructs and resolves log file paths. The handler builds paths by combining the configured base_log_folder with attacker-influenced components such as task_id and on-disk directory entries. The code does not validate that the resolved path remains within base_log_folder and does not reject symbolic links. When the worker and API server share the same log volume, paths created or staged by a worker are later opened by the API server, granting the attacker reach into the API server's filesystem context.
Root Cause
Two input validation gaps drive the issue. First, the Task SDK's KEY_REGEX permits task_id values that contain .. sequences, enabling directory traversal during write operations. Second, the FileTaskHandler follows symbolic links inside the worker-controlled log directory without performing a canonical-path check against base_log_folder. The combination allows file reads outside the intended directory and writes to attacker-chosen locations.
Attack Vector
Exploitation requires DAG authoring privileges, which qualifies as low-privilege authenticated access over the network. In the read-path scenario, the DAG author plants a symlink inside the task log directory pointing to a sensitive file, then triggers the API server to render task logs, returning the linked file contents. In the write-path scenario, the author defines a task with a task_id containing .. segments, causing FileTaskHandler to write log content to a path outside base_log_folder. Impact is confined to deployments where the worker and API server share a log volume.
Detection Methods for CVE-2026-40861
Indicators of Compromise
- Symbolic links present under task log directories that resolve outside of base_log_folder
- DAG definitions or task metadata containing task_id values with .. sequences
- API server log render requests returning content from files such as /etc/passwd or airflow.cfg
- Unexpected file modifications on the API server filesystem with timestamps correlated to task execution
Detection Strategies
- Audit the base_log_folder tree for symbolic links and flag any whose targets fall outside the configured directory
- Inspect Airflow metadata and DAG source for task_id values containing .., /, or other traversal characters
- Correlate API server file access events with worker task execution to surface anomalous file reads triggered by log rendering
Monitoring Recommendations
- Enable filesystem auditing (auditd or equivalent) on the shared log volume and alert on symlink creation events
- Log and review all DAG submissions, focusing on author identity and structural fields like task_id
- Monitor API server process file opens for paths outside base_log_folder
How to Mitigate CVE-2026-40861
Immediate Actions Required
- Upgrade apache-airflow to version 3.2.2 or later across all worker and API server nodes
- Inventory all DAG authors and review recent DAGs for symlinks or suspicious task_id values
- Restrict DAG authoring privileges to trusted users until the upgrade is complete
Patch Information
Apache Airflow 3.2.2 contains the fix. The patch tightens KEY_REGEX in the Task SDK to reject .. sequences and adds canonical-path validation in FileTaskHandler so resolved log paths must remain within base_log_folder. Patch details are available in the Apache Airflow GitHub Pull Request #65325 and the Apache Mailing List Thread.
Workarounds
- Deploy the worker and API server with separate log volumes so worker-controlled paths cannot reach the API server filesystem
- Mount the API server's view of the log directory read-only where operationally feasible
- Disable or scrub symbolic links in base_log_folder on a scheduled basis until patched
- Enforce DAG review and code signing workflows to catch malicious task_id definitions before deployment
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
