PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59245 Apache Software Foundation CVE debrief

A high-severity vulnerability was found in the Apache Airflow FAB auth manager. A DAG named 'DAGs' colliding with the global all-DAGs permission resource name produced by resource_name() could allow a user granted per-DAG access_control on that DAG to be silently granted the global all-DAGs permission, leading to privilege escalation. This issue arises when a DAG named 'DAGs' exists and a lower-privileged user is given per-DAG access to it, granting that user read/edit access to every DAG. Users are advised to take immediate action to mitigate this vulnerability.

Vendor
Apache Software Foundation
Product
Apache Airflow FAB provider
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-14
Advisory published
2026-07-13
Advisory updated
2026-07-14

Who should care

Users of Apache Airflow with FAB auth manager, especially those with lower-privileged users granted per-DAG access, should be aware of this vulnerability and take action to mitigate it. This includes reviewing existing DAGs and user permissions, and monitoring for any suspicious activity.

Technical summary

In the Apache Airflow FAB auth manager, a DAG whose dag_id is 'DAGs' collided with the global all-DAGs permission resource name produced by resource_name(). This collision could allow a user granted per-DAG access_control on that DAG to be silently granted the global all-DAGs permission, leading to privilege escalation. The escalation triggers when a DAG named 'DAGs' exists and a lower-privileged user is given per-DAG access to it, granting that user read/edit access to every DAG. The fix involves upgrading to apache-airflow-providers-fab 3.7.2 or later.

Defensive priority

High priority should be given to upgrading to apache-airflow-providers-fab 3.7.2 or later, which disambiguates the resource-name collision, and reviewing existing DAGs and user permissions.

Recommended defensive actions

  • Upgrade to apache-airflow-providers-fab 3.7.2 or later
  • Review existing DAGs and user permissions
  • Monitor for any suspicious activity
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-13T16:16:41.880Z and was last modified on 2026-07-14T01:07:30.960Z. The NVD entry is currently Analyzed. This information is based on the provided source corpus. Further verification is recommended to ensure accuracy.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T16:16:41.880Z and has not been modified since then. The NVD entry is currently Analyzed.