oss-security - CVE-2026-46745: Apache Airflow FAB provider: [ Security Report ] LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token (ZDRES-223)

Follow @Openwall on Twitter for new release announcements and other news

Message-ID: <8f9acf81-c9c7-d546-588f-8a890c5bf0b1@apache.org>
Date: Sun, 24 May 2026 20:19:46 +0000
From: Jens Scheffler <jscheffl@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-46745: Apache Airflow FAB provider: [ Security Report ]
 LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via
 /auth/token (ZDRES-223) 

Severity: Moderate 

Affected versions:

- Apache Airflow FAB provider (apache-airflow-providers-fab) before 3.6.4

Description:

Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP authentication until the provider can be updated.

Credit:

Venkatraman Kumar (r3dw0lfsec), Securin (finder)
orbisai0security (automated scanner — Orbis Security AI) (remediation developer)

References:

https://github.com/apache/airflow/pull/66417
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-46745

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.