On a Samba SMB server for all versions of Samba from 4.9.0 clients are able to escape outside the share root directory if certain configuration parameters set in the smb.conf file. The problem is reproducable if the "wide links" option is explicitly set to "yes" and either "unix extensions = no" or "allow insecure wide links = yes" is set in addition.