Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP authentication until the provider can be updated.

Project Subscriptions

Vendors Products
Airflow Fab Provider Subscribe
Apache-airflow-providers-fab Subscribe
Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g283-w6fp-c4fc Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 27 May 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache apache-airflow-providers-fab
CPEs cpe:2.3:a:apache:apache-airflow-providers-fab:*:*:*:*:*:*:*:*
Vendors & Products Apache apache-airflow-providers-fab

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow Fab Provider
Vendors & Products Apache
Apache airflow Fab Provider

Tue, 26 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
References

Mon, 25 May 2026 11:15:00 +0000

Type Values Removed Values Added
Description Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP authentication until the provider can be updated.
Title Apache Airflow FAB provider: LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token
Weaknesses CWE-90
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-26T20:08:17.281Z

Reserved: 2026-05-18T09:26:04.993Z

Link: CVE-2026-46745

cve-icon Vulnrichment

Updated: 2026-05-25T11:27:21.028Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-25T11:16:18.407

Modified: 2026-06-17T10:53:53.107

Link: CVE-2026-46745

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:06:00Z

Weaknesses