Privilege Escalation in Apache Airflow FAB Auth Manager
CVE-2026-59245
Currently unrated
What is CVE-2026-59245?
A vulnerability in the Apache Airflow FAB auth manager allows for privilege escalation due to a resource name collision involving a DAG named 'DAGs'. When a user is granted per-DAG access to this specific DAG, they unintentionally gain global permissions, thereby gaining read and edit access to all DAGs. This presents significant security risks, particularly for users with lower privileges. It is crucial for affected users to upgrade to version 3.7.2 or later of the 'apache-airflow-providers-fab' package to resolve this issue and mitigate the risk of improper access control.
Affected Version(s)
Apache Airflow FAB provider 0 < 3.7.2