CVE-2026-46745

CVE-2026-46745: Apache Airflow FAB provider: LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token

Vendor Apache Software Foundation

Product Apache Airflow FAB provider

Weakness CWE-90 · LDAP injection

Published May 25, 2026

Last update May 26, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP authentication until the provider can be updated.

Key dates

Disclosure timeline

May 25, 2026 CVE published

May 26, 2026 Record updated