Apache Airflow FAB Auth Manager contains an LDAP filter injection flaw that lets unauthenticated actors craft malicious queries against the LDAP directory. Because the flaw lies in the FILTER construction, attackers can read arbitrary directory entries or inject a query that forces authentication to succeed. The weakness is identified as CWE‑90 and effectively allows bypassing the normal login process or exfiltrating directory data without credentials.

The affected component is the FAB provider of Apache Airflow, introduced within the FAB Auth Manager. Versions of apache‑airflow‑providers‑fab before 3.6.4 that enable LDAP authentication are vulnerable. Any Airflow installation that has this provider installed and has LDAP authentication enabled may be exposed.

The attack can be carried out remotely by sending a specially crafted request to the /auth/token endpoint. The advisory lists a CVSS score of 5.3 and an EPSS score of <1%, and the vulnerability is not listed in the CISA KEV catalog, indicating no known active exploitation campaigns. However, the remote nature of the flaw, the lack of authentication requirement, and the ability to either read sensitive directory data or gain privileged access make it medium risk and recommend remediation.