CVE-2026-46745

MEDIUM 5.3

Apache Airflow FAB provider: LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token

CVSS Score

5.3

EPSS Score

0.2%

EPSS Percentile

41th

Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP authentication until the provider can be updated.

CWE	CWE-90
Vendor	apache software foundation
Product	apache airflow fab provider
Published	May 25, 2026
Last Updated	May 26, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow fab provider

Be the first to know when new medium vulnerabilities affecting apache software foundation apache airflow fab provider are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow FAB provider

0 < 3.6.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/apache/airflow/pull/66417 lists.apache.org: https://lists.apache.org/thread/dvfy0bs181xwsrjrd3y5c55ztbzm8yhh openwall.com: http://www.openwall.com/lists/oss-security/2026/05/24/10

Credits

Venkatraman Kumar (r3dw0lfsec), Securin orbisai0security (automated scanner — Orbis Security AI)