Skip to main content

Apache Airflow FAB EUVDEUVD-2026-31669

| CVE-2026-46745 MEDIUM
LDAP Injection (CWE-90)
2026-05-25 apache GHSA-g283-w6fp-c4fc
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

5
Source Code Evidence Fetched
Jun 08, 2026 - 12:14 vuln.today
Analysis Generated
Jun 08, 2026 - 12:14 vuln.today
CVSS changed
May 26, 2026 - 21:22 NVD
5.3 (MEDIUM)
CVE Published
May 25, 2026 - 10:41 nvd
UNKNOWN (no severity yet)
CVE Published
May 25, 2026 - 10:41 nvd
MEDIUM 5.3

DescriptionCVE.org

Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP authentication until the provider can be updated.

AnalysisAI

LDAP filter injection in Apache Airflow FAB Auth Manager (apache-airflow-providers-fab < 3.6.4) enables unauthenticated remote attackers to manipulate LDAP query logic by embedding special characters in login credentials, resulting in directory data exfiltration or authentication bypass. The vulnerability is confirmed by source code evidence: the _search_ldap and _ldap_get_nested_groups methods in override.py directly interpolated user-supplied input into LDAP filter strings without sanitization. No public exploit code has been identified at time of analysis and CISA KEV does not list this CVE, but the SSVC framework marks it as automatable, meaning exploitation can be scripted at scale against exposed Airflow instances using LDAP auth.

Technical ContextAI

Apache Airflow FAB Auth Manager is the Flask App Builder (FAB)-based authentication subsystem for Apache Airflow, responsible for handling LDAP, OAuth, and other authentication backends. The root cause is CWE-90 (Improper Neutralization of Special Elements used in an LDAP Query). In override.py, the _search_ldap method constructed LDAP filter strings by directly interpolating the username variable - e.g., f'({self.auth_ldap_uid_field}={username})' - without escaping LDAP metacharacters such as *, (, ), \, and \0. The same flaw existed in _ldap_get_nested_groups, where user_dn was similarly unescaped. The fix, confirmed in GitHub PR #66417, applies ldap.filter.escape_filter_chars() to both username and user_dn before filter construction. Affected CPE: cpe:2.3:a:apache_software_foundation:apache_airflow_fab_provider:*:*:*:*:*:*:*:* for all versions prior to 3.6.4.

RemediationAI

Upgrade apache-airflow-providers-fab to version 3.6.4 or later; this is the vendor-confirmed fix per the Apache security advisory at https://lists.apache.org/thread/dvfy0bs181xwsrjrd3y5c55ztbzm8yhh and the upstream patch in GitHub PR #66417 (https://github.com/apache/airflow/pull/66417). If immediate upgrade is not possible, the vendor explicitly recommends disabling LDAP authentication as a compensating control until the provider can be updated - note this will force migration to an alternative auth backend (OAuth, password-based, etc.) which may impact operational workflows. There is no known partial mitigation that preserves LDAP functionality while blocking injection; network-layer filtering of LDAP metacharacters at a WAF or reverse proxy is unreliable and not recommended as a substitute for patching. Review the oss-security disclosure at http://www.openwall.com/lists/oss-security/2026/05/24/10 for additional context.

More in LDAP

View all
CVE-2016-9299 CRITICAL POC
9.8 Jan 12

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a

CVE-2017-14596 CRITICAL POC
9.8 Sep 20

In Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required,

CVE-2017-8790 CRITICAL POC
9.8 May 05

An issue was discovered on Accellion FTA devices before FTA_9_12_180. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2023-28853 MEDIUM POC
6.5 Apr 04

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut

CVE-2020-36966 MEDIUM POC
6.4 Jan 30

Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows at

CVE-2025-36556 MEDIUM POC
6.1 Jan 20

A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6

CVE-2026-23906 CRITICAL
9.8 Feb 10

Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific p

CVE-2026-44930 CRITICAL
9.8 May 22

Arbitrary certificate disclosure in Apache CXF's XKMS server lets remote attackers abuse an LDAP injection flaw (CWE-90)

CVE-2024-33868 CRITICAL
9.8 May 14

An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is re

CVE-2023-6905 CRITICAL
9.8 Dec 18

A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5.jsp?actionFlag=test&i

CVE-2021-43350 CRITICAL
9.8 Nov 11

An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the P

CVE-2026-21880 MEDIUM POC
5.3 Jan 08

Kanboard versions 1.2.48 and earlier contain an LDAP injection vulnerability where unsanitized user input in the LDAP au

Share

EUVD-2026-31669 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy