MEDIUM 5.3

GHSA-g283-w6fp-c4fc

Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability

Details

Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP authentication until the provider can be updated.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / apache-airflow-providers-fab

Introduced in: 0 Fixed in: 3.6.4

Fix pip install --upgrade 'apache-airflow-providers-fab>=3.6.4'

References

https://nvd.nist.gov/vuln/detail/CVE-2026-46745 [ADVISORY]
https://github.com/apache/airflow/pull/66417 [WEB]
https://github.com/apache/airflow/commit/3f7756bea71a7c7988511ec0557314ffb15fbe5e [WEB]
https://github.com/apache/airflow [PACKAGE]
https://lists.apache.org/thread/dvfy0bs181xwsrjrd3y5c55ztbzm8yhh [WEB]
http://www.openwall.com/lists/oss-security/2026/05/24/10 [WEB]