Primary

Context

Apache Airflow FAB Auth Manager LDAP Filter Injection Vulnerability

Vulnerability

Patched

A vulnerability allowing LDAP filter injection has been identified in the Apache Airflow FAB Auth Manager, specifically in versions prior to 3.6.4. This vulnerability (CWE-90) allows unauthenticated attackers to exfiltrate directory data or bypass authentication. The issue is reachable through the '/auth/token' endpoint.

Impact

Exploitation of this vulnerability could lead to unauthorized access or data exfiltration from the directory via LDAP.

Remediation

Users are advised to upgrade to Apache Airflow FAB provider version 3.6.4 or later. If an immediate upgrade is not possible, LDAP authentication should be disabled until the provider can be updated.

Added: May 26, 2026, 11:32 PM

Updated: May 26, 2026, 11:32 PM

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

5.0

exploitability

7.0

remediation

7.9

relevance

9.4

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

5.0

exploitability

7.0

remediation

7.9

relevance

9.4

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Airflow FAB Auth Manager LDAP Filter Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Apache Airflow FAB Auth Manager

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating