PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46745 Apache Software Foundation CVE debrief

Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. The vulnerability was published on 2026-05-25 and last modified on 2026-05-26. The issue affects the Flask-AppBuilder (FAB) authentication manager component when LDAP authentication is enabled. Attackers can manipulate LDAP filter queries without authentication, potentially extracting sensitive directory information or circumventing authentication controls entirely. The vulnerability carries a CVSS 3.1 score of 5.3 (MEDIUM severity) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network-accessible, low-complexity attacks that require no privileges or user interaction, with limited confidentiality impact. The Apache Software Foundation has released a fix in apache-airflow-providers-fab version 3.6.4. Organizations using LDAP authentication with Airflow FAB Auth Manager should prioritize upgrading to this version. If immediate patching is not feasible, disabling LDAP authentication temporarily eliminates the attack vector. The fix was committed to the Apache Airflow repository and announced via official Apache security channels.

Vendor
Apache Software Foundation
Product
Apache Airflow FAB provider
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-25
Original CVE updated
2026-05-27
Advisory published
2026-05-25
Advisory updated
2026-05-27

Who should care

Organizations running Apache Airflow with FAB Auth Manager and LDAP authentication enabled. Security teams responsible for identity and access management infrastructure. DevOps and platform engineering teams managing Airflow deployments. Directory services administrators whose LDAP infrastructure may be exposed through vulnerable Airflow configurations. Compliance teams tracking authentication bypass vulnerabilities affecting data access controls.

Technical summary

The Apache Airflow FAB (Flask-AppBuilder) Auth Manager component is vulnerable to LDAP filter injection (CWE-90). Insufficient input sanitization allows unauthenticated attackers to inject malicious LDAP filter syntax into authentication requests. This injection capability enables two primary attack scenarios: exfiltration of arbitrary directory data through crafted filter queries that return unauthorized result sets, and authentication bypass through filter manipulation that causes LDAP queries to match unintended directory entries. The vulnerability is exploitable remotely without authentication, requiring only network access to an Airflow instance with LDAP authentication configured. The CVSS 3.1 score of 5.3 reflects network attack vector, low attack complexity, no required privileges or user interaction, and limited confidentiality impact (no integrity or availability impact). The Apache Software Foundation addressed this vulnerability in apache-airflow-providers-fab 3.6.4 by implementing proper LDAP filter input validation and sanitization.

Defensive priority

high

Recommended defensive actions

  • Upgrade apache-airflow-providers-fab to version 3.6.4 or later to remediate the LDAP filter injection vulnerability
  • If immediate upgrade is not possible, disable LDAP authentication in Airflow FAB Auth Manager configuration until the provider can be updated
  • Review LDAP authentication logs for anomalous filter queries that may indicate exploitation attempts
  • Verify Airflow deployments to identify systems using FAB Auth Manager with LDAP authentication enabled
  • Monitor Apache Airflow security advisories for additional guidance or related vulnerabilities

Evidence notes

Vulnerability description and remediation guidance sourced from official CVE record and NVD entry. Fix version 3.6.4 confirmed via Apache security mailing list and GitHub pull request. CVSS vector and score from NVD official database. CWE-90 classification from Apache security advisory. Timeline dates from official CVE publication and modification timestamps.

Official resources

2026-05-25