Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP authentication until the provider can be updated.
AnalysisAI
LDAP filter injection in Apache Airflow FAB Auth Manager (apache-airflow-providers-fab < 3.6.4) enables unauthenticated remote attackers to manipulate LDAP query logic by embedding special characters in login credentials, resulting in directory data exfiltration or authentication bypass. The vulnerability is confirmed by source code evidence: the _search_ldap and _ldap_get_nested_groups methods in override.py directly interpolated user-supplied input into LDAP filter strings without sanitization. No public exploit code has been identified at time of analysis and CISA KEV does not list this CVE, but the SSVC framework marks it as automatable, meaning exploitation can be scripted at scale against exposed Airflow instances using LDAP auth.
Technical ContextAI
Apache Airflow FAB Auth Manager is the Flask App Builder (FAB)-based authentication subsystem for Apache Airflow, responsible for handling LDAP, OAuth, and other authentication backends. The root cause is CWE-90 (Improper Neutralization of Special Elements used in an LDAP Query). In override.py, the _search_ldap method constructed LDAP filter strings by directly interpolating the username variable - e.g., f'({self.auth_ldap_uid_field}={username})' - without escaping LDAP metacharacters such as *, (, ), \, and \0. The same flaw existed in _ldap_get_nested_groups, where user_dn was similarly unescaped. The fix, confirmed in GitHub PR #66417, applies ldap.filter.escape_filter_chars() to both username and user_dn before filter construction. Affected CPE: cpe:2.3:a:apache_software_foundation:apache_airflow_fab_provider:*:*:*:*:*:*:*:* for all versions prior to 3.6.4.
RemediationAI
Upgrade apache-airflow-providers-fab to version 3.6.4 or later; this is the vendor-confirmed fix per the Apache security advisory at https://lists.apache.org/thread/dvfy0bs181xwsrjrd3y5c55ztbzm8yhh and the upstream patch in GitHub PR #66417 (https://github.com/apache/airflow/pull/66417). If immediate upgrade is not possible, the vendor explicitly recommends disabling LDAP authentication as a compensating control until the provider can be updated - note this will force migration to an alternative auth backend (OAuth, password-based, etc.) which may impact operational workflows. There is no known partial mitigation that preserves LDAP functionality while blocking injection; network-layer filtering of LDAP metacharacters at a WAF or reverse proxy is unreliable and not recommended as a substitute for patching. Review the oss-security disclosure at http://www.openwall.com/lists/oss-security/2026/05/24/10 for additional context.
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a
In Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required,
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Rated critical severity (CVSS 9.8), this vulnerabi
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut
Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows at
A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6
Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific p
Arbitrary certificate disclosure in Apache CXF's XKMS server lets remote attackers abuse an LDAP injection flaw (CWE-90)
An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is re
A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5.jsp?actionFlag=test&i
An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the P
Kanboard versions 1.2.48 and earlier contain an LDAP injection vulnerability where unsanitized user input in the LDAP au
Same weakness CWE-90 – LDAP Injection
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31669
GHSA-g283-w6fp-c4fc