Description
Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP authentication until the provider can be updated.
Published: 2026-05-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache Airflow FAB Auth Manager contains an LDAP filter injection flaw that lets unauthenticated actors craft malicious queries against the LDAP directory. Because the flaw lies in the FILTER construction, attackers can read arbitrary directory entries or inject a query that forces authentication to succeed. The weakness is identified as CWE‑90 and effectively allows bypassing the normal login process or exfiltrating directory data without credentials.

Affected Systems

The affected component is the FAB provider of Apache Airflow, introduced within the FAB Auth Manager. Versions of apache‑airflow‑providers‑fab before 3.6.4 that enable LDAP authentication are vulnerable. Any Airflow installation that has this provider installed and has LDAP authentication enabled may be exposed.

Risk and Exploitability

The attack can be carried out remotely by sending a specially crafted request to the /auth/token endpoint. No CVSS or EPSS score is reported in the advisory, and the vulnerability is not listed in the CISA KEV catalog, indicating no known active exploitation campaigns. However, the remote nature of the flaw, the lack of authentication requirement, and the ability to either read sensitive directory data or gain privileged access make it high risk and recommend immediate remediation.

Generated by OpenCVE AI on May 25, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade apache-airflow-providers-fab to version 3.6.4 or later.
  • If an immediate upgrade is not viable, temporarily disable LDAP authentication in the FAB Auth Manager until the provider can be updated.
  • Verify that LDAP authentication is no longer reachable and monitor Airflow logs for any unauthorized token request attempts.

Generated by OpenCVE AI on May 25, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 11:15:00 +0000

Type Values Removed Values Added
Description Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP authentication until the provider can be updated.
Title Apache Airflow FAB provider: LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token
Weaknesses CWE-90
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-25T11:30:01.166Z

Reserved: 2026-05-18T09:26:04.993Z

Link: CVE-2026-46745

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T12:30:25Z

Weaknesses