PatchSiren cyber security CVE debrief
CVE-2026-59245 Apache Software Foundation CVE debrief
A high-severity vulnerability was found in the Apache Airflow FAB auth manager. A DAG named 'DAGs' colliding with the global all-DAGs permission resource name produced by resource_name() could allow a user granted per-DAG access_control on that DAG to be silently granted the global all-DAGs permission, leading to privilege escalation. This issue arises when a DAG named 'DAGs' exists and a lower-privileged user is given per-DAG access to it, granting that user read/edit access to every DAG. Users are advised to take immediate action to mitigate this vulnerability.
- Vendor
- Apache Software Foundation
- Product
- Apache Airflow FAB provider
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-14
Who should care
Users of Apache Airflow with FAB auth manager, especially those with lower-privileged users granted per-DAG access, should be aware of this vulnerability and take action to mitigate it. This includes reviewing existing DAGs and user permissions, and monitoring for any suspicious activity.
Technical summary
In the Apache Airflow FAB auth manager, a DAG whose dag_id is 'DAGs' collided with the global all-DAGs permission resource name produced by resource_name(). This collision could allow a user granted per-DAG access_control on that DAG to be silently granted the global all-DAGs permission, leading to privilege escalation. The escalation triggers when a DAG named 'DAGs' exists and a lower-privileged user is given per-DAG access to it, granting that user read/edit access to every DAG. The fix involves upgrading to apache-airflow-providers-fab 3.7.2 or later.
Defensive priority
High priority should be given to upgrading to apache-airflow-providers-fab 3.7.2 or later, which disambiguates the resource-name collision, and reviewing existing DAGs and user permissions.
Recommended defensive actions
- Upgrade to apache-airflow-providers-fab 3.7.2 or later
- Review existing DAGs and user permissions
- Monitor for any suspicious activity
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-13T16:16:41.880Z and was last modified on 2026-07-14T01:07:30.960Z. The NVD entry is currently Analyzed. This information is based on the provided source corpus. Further verification is recommended to ensure accuracy.
Official resources
-
CVE-2026-59245 CVE record
CVE.org
-
CVE-2026-59245 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Mailing List, Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T16:16:41.880Z and has not been modified since then. The NVD entry is currently Analyzed.