Home

Description

In the Apache Airflow FAB auth manager, a DAG whose `dag_id` is `DAGs` collided with the global all-DAGs permission resource name produced by `resource_name()`, so a user granted per-DAG `access_control` on that one DAG was silently granted the global all-DAGs permission (privilege escalation). The escalation triggers when a DAG named `DAGs` exists and a lower-privileged user is given per-DAG access to it, granting that user read/edit access to every DAG. Users are advised to upgrade to `apache-airflow-providers-fab` 3.7.2 or later, which disambiguates the resource-name collision.

PUBLISHED Reserved 2026-07-04 | Published 2026-07-13 | Updated 2026-07-13 | Assigner apache

Problem types

CWE-269: Improper Privilege Management

Product status

Default status
unaffected

Any version before 3.7.2
affected

Credits

Tran Hieu (h1tr3xnull) finder

Jarek Potiuk remediation developer

References

github.com/apache/airflow/pull/69106 patch

lists.apache.org/thread/70f37q3mwov1vm3zolrfxlzds278c78h vendor-advisory

cve.org (CVE-2026-59245)

nvd.nist.gov (CVE-2026-59245)

Download JSON