Skip to main content

Apache Airflow Fab Provider

2 CVEs product

Monthly

CVE-2026-59245 HIGH PATCH This Week

Privilege escalation in the Apache Airflow FAB auth manager (apache-airflow-providers-fab before 3.7.2) lets a low-privileged user who is granted per-DAG access to a DAG literally named 'DAGs' silently receive the global all-DAGs permission, gaining read and edit access to every DAG in the deployment. The flaw stems from a resource-name collision in resource_name(), where the reserved global resource string 'DAGs' is indistinguishable from a legitimate dag_id of the same value. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation Apache Apache Airflow Fab Provider
NVD GitHub
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-46745 PyPI MEDIUM PATCH This Month

LDAP filter injection in Apache Airflow FAB Auth Manager (apache-airflow-providers-fab < 3.6.4) enables unauthenticated remote attackers to manipulate LDAP query logic by embedding special characters in login credentials, resulting in directory data exfiltration or authentication bypass. The vulnerability is confirmed by source code evidence: the `_search_ldap` and `_ldap_get_nested_groups` methods in `override.py` directly interpolated user-supplied input into LDAP filter strings without sanitization. No public exploit code has been identified at time of analysis and CISA KEV does not list this CVE, but the SSVC framework marks it as automatable, meaning exploitation can be scripted at scale against exposed Airflow instances using LDAP auth.

Authentication Bypass LDAP Apache Code Injection Apache Airflow Fab Provider
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Privilege escalation in the Apache Airflow FAB auth manager (apache-airflow-providers-fab before 3.7.2) lets a low-privileged user who is granted per-DAG access to a DAG literally named 'DAGs' silently receive the global all-DAGs permission, gaining read and edit access to every DAG in the deployment. The flaw stems from a resource-name collision in resource_name(), where the reserved global resource string 'DAGs' is indistinguishable from a legitimate dag_id of the same value. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation Apache Apache Airflow Fab Provider
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

LDAP filter injection in Apache Airflow FAB Auth Manager (apache-airflow-providers-fab < 3.6.4) enables unauthenticated remote attackers to manipulate LDAP query logic by embedding special characters in login credentials, resulting in directory data exfiltration or authentication bypass. The vulnerability is confirmed by source code evidence: the `_search_ldap` and `_ldap_get_nested_groups` methods in `override.py` directly interpolated user-supplied input into LDAP filter strings without sanitization. No public exploit code has been identified at time of analysis and CISA KEV does not list this CVE, but the SSVC framework marks it as automatable, meaning exploitation can be scripted at scale against exposed Airflow instances using LDAP auth.

Authentication Bypass LDAP Apache +2
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy