CVE-2026-46745 PUBLISHED

Apache Airflow FAB provider: LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token

Assigner: apache
Reserved: 18.05.2026 Published: 25.05.2026 Updated: 25.05.2026

Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP authentication until the provider can be updated.

Product Status

Vendor	Apache Software Foundation
Product	Apache Airflow FAB provider
Versions	Default: unaffected affected from 0 to 3.6.4 (excl.)

Credits

Venkatraman Kumar (r3dw0lfsec), Securin finder
orbisai0security (automated scanner — Orbis Security AI) remediation developer

References

https://github.com/apache/airflow/pull/66417
https://lists.apache.org/thread/dvfy0bs181xwsrjrd3y5c55ztbzm8yhh

Problem Types

CWE-90: (LDAP Injection) CWE