๐Ÿ” CVE Alert

CVE-2026-59245

HIGH 8.1

Apache Airflow FAB provider: FAB auth manager: a DAG named "DAGs" hijacks the global all-DAGs permission (access_control privilege escalation via resource_name() collision)

CVSS Score
8.1
EPSS Score
0.4%
EPSS Percentile
28th

In the Apache Airflow FAB auth manager, a DAG whose `dag_id` is `DAGs` collided with the global all-DAGs permission resource name produced by `resource_name()`, so a user granted per-DAG `access_control` on that one DAG was silently granted the global all-DAGs permission (privilege escalation). The escalation triggers when a DAG named `DAGs` exists and a lower-privileged user is given per-DAG access to it, granting that user read/edit access to every DAG. Users are advised to upgrade to `apache-airflow-providers-fab` 3.7.2 or later, which disambiguates the resource-name collision.

CWE CWE-269
Vendor apache software foundation
Product apache airflow fab provider
Published Jul 13, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow fab provider

Be the first to know when new high vulnerabilities affecting apache software foundation apache airflow fab provider are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow FAB provider
0 < 3.7.2

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/apache/airflow/pull/69106 lists.apache.org: https://lists.apache.org/thread/70f37q3mwov1vm3zolrfxlzds278c78h openwall.com: http://www.openwall.com/lists/oss-security/2026/07/13/4

Credits

Tran Hieu (h1tr3xnull) Jarek Potiuk