CVE-2026-46745 | THREATINT

Description

Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP authentication until the provider can be updated.

PUBLISHED Reserved 2026-05-18 | Published 2026-05-25 | Updated 2026-05-25 | Assigner apache

Problem types

CWE-90: (LDAP Injection)

Product status

Default status

unaffected

Any version before 3.6.4

affected

Credits

Venkatraman Kumar (r3dw0lfsec), Securin finder

orbisai0security (automated scanner — Orbis Security AI) remediation developer

References

www.openwall.com/lists/oss-security/2026/05/24/10

github.com/apache/airflow/pull/66417 patch

lists.apache.org/thread/dvfy0bs181xwsrjrd3y5c55ztbzm8yhh vendor-advisory

cve.org (CVE-2026-46745)

nvd.nist.gov (CVE-2026-46745)

Download JSON