5.3
CVE-2026-46745
- EPSS 0.57%
- Veröffentlicht 25.05.2026 10:41:16
- Zuletzt bearbeitet 27.05.2026 15:31:05
- Quelle security@apache.org
- CVE-Watchlists
- Unerledigt
Apache Airflow FAB provider: LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token
Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP authentication until the provider can be updated.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Apache ≫ Apache-airflow-providers-fab Version < 3.6.4
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.57% | 0.429 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
https://github.com/apache/airflow/pull/66417
https://lists.apache.org/thread/dvfy0bs181xwsrjrd3y5c55ztbzm8yhh
http://www.openwall.com/lists/oss-security/2026/05/24/10