Lucene search
+L

16 matches found

osv
osv
added 3 days ago6 views

CVE-2026-59245 Apache Airflow FAB provider: FAB auth manager: a DAG named "DAGs" hijacks the global all-DAGs permission (access_control privilege escalation via resource_name() collision)

In the Apache Airflow FAB auth manager, a DAG whose dagid is DAGs collided with the global all-DAGs permission resource name produced by resourcename, so a user granted per-DAG accesscontrol on that one DAG was silently granted the global all-DAGs permission privilege escalation. The escalation...

8.1CVSS6.1AI score0.0036EPSS
Exploits0References6
osv
osv
added 2026/07/07 2:34 p.m.3 views

PYSEC-2026-1147 Apache Airflow Fab Provider Insufficient Session Expiration vulnerability

Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider. This issue affects Apache Airflow Fab Provider: before 1.5.2. When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session expiration, thus logged...

2.1CVSS5.9AI score0.00936EPSS
Exploits0References6
vulnrichment
vulnrichment
added 2026/05/25 10:41 a.m.9 views

CVE-2026-46745 Apache Airflow FAB provider: LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token

Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability CWE-90 that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP...

5.8AI score0.00574EPSS
Exploits0References2
cvelist
cvelist
added 2026/05/25 10:41 a.m.55 views

CVE-2026-46745 Apache Airflow FAB provider: LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token

Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability CWE-90 that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP...

0.00574EPSS
Exploits0References2
osv
osv
added 2026/05/25 10:41 a.m.3 views

CVE-2026-46745 Apache Airflow FAB provider: LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token

Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability CWE-90 that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP...

5.3CVSS5.9AI score0.00574EPSS
Exploits0References6
ptsecurity
ptsecurity
added 2026/05/25 12:0 a.m.26 views

PT-2026-43033

Name of the Vulnerable Software and Affected Versions apache-airflow-providers-fab versions prior to 3.6.4 Description Apache Airflow FAB Auth Manager is subject to an LDAP filter injection, which occurs when user-supplied input is improperly sanitized before being used in an LDAP filter. This...

5.3CVSS5.8AI score0.00574EPSS
Exploits0References17
redhatcve
redhatcve
added 2025/05/23 8:8 a.m.6 views

CVE-2024-45033

Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider. This issue affects Apache Airflow Fab Provider: before 1.5.2. When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session expiration, thus logged...

8.1CVSS8AI score0.01366EPSS
Exploits0References1
redhatcve
redhatcve
added 2025/05/23 7:55 a.m.10 views

CVE-2024-42447

Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB. This issue affects Apache Airflow Providers FAB: 1.2.1 when used with Apache Airflow 2.9.3 and FAB 1.2.0 for all Airflow versions. The FAB provider prevented the user from logging out. FAB provider 1.2.1 only affected...

9.8CVSS9.3AI score0.00921EPSS
Exploits0
bdu_fstec
bdu_fstec
added 2025/03/24 12:0 a.m.8 views

The vulnerability of the Apache Airflow Fab Provider software, which is used for creating, monitoring, and orchestrating data processing scenarios in Apache Airflow, stems from incorrect session duration settings. This allows attackers to maintain a session in the system.

The vulnerability of the Apache Airflow Fab Provider software, which is used for creating, monitoring, and orchestrating data processing scenarios, is related to incorrect session duration settings. Exploiting this vulnerability allows a malicious actor to maintain a session on the system...

8.5CVSS5.5AI score0.00936EPSS
Exploits0References4Affected Software1
vulnersosv
vulnersosv
added 2025/01/08 9:44 a.m.9 views

apache-airflow (=2.9.0b2), apache-airflow-providers-common-compat (>=1.0.0 <=1.6.0b1) potentially affected by CVE-2024-45033 via apache-airflow-providers-fab (>=1.0.2b0 <=1.4.1)

apache-airflow-providers-fab PYPI version =1.0.2b0, =1.0.0, =1.6.0b1 Source cves: CVE-2024-45033 Source advisory: SNYK:PYTHON-APACHEAIRFLOWPROVIDERSFAB-8603622...

8.1CVSS5.8AI score0.00936EPSS
Exploits0
vulnersosv
vulnersosv
added 2025/01/08 9:30 a.m.6 views

apache-airflow (=2.9.0b2), apache-airflow-providers-common-compat (>=1.0.0 <=1.6.0b1) potentially affected by CVE-2024-45033 via apache-airflow-providers-fab (>=1.0.2b0 <=1.4.1)

apache-airflow-providers-fab PYPI version =1.0.2b0, =1.0.0, =1.6.0b1 Source cves: CVE-2024-45033 Source advisory: OSV:GHSA-8863-4QMG-FR45...

8.1CVSS5.8AI score0.00936EPSS
Exploits0
osv
osv
added 2025/01/08 9:30 a.m.7 views

GHSA-8863-4QMG-FR45 Apache Airflow Fab Provider Insufficient Session Expiration vulnerability

Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider. This issue affects Apache Airflow Fab Provider: before 1.5.2. When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session expiration, thus logged...

2.1CVSS7.8AI score0.00936EPSS
Exploits0References4
github
github
added 2025/01/08 9:30 a.m.19 views

Apache Airflow Fab Provider Insufficient Session Expiration vulnerability

Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider. This issue affects Apache Airflow Fab Provider: before 1.5.2. When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session expiration, thus logged...

8.1CVSS6.7AI score0.00936EPSS
Exploits0References4Affected Software1
cve
cve
added 2025/01/08 8:41 a.m.355 views

CVE-2024-45033

CVE-2024-45033 affects Apache Airflow Fab Provider prior to 1.5.2. The root cause is insufficient session expiration: after a user’s password is changed via the admin CLI, the user’s existing sessions are not cleared, allowing continued access even after password changes. This issue is CLI-specif...

8.1CVSS6.4AI score0.00936EPSS
Exploits0References2Affected Software1
cvelist
cvelist
added 2025/01/08 8:41 a.m.41 views

CVE-2024-45033 Apache Airflow Fab Provider: Application does not invalidate session after password change via Airflow cli

Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider. This issue affects Apache Airflow Fab Provider: before 1.5.2. When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session expiration, thus logged...

0.00936EPSS
Exploits0References2
osv
osv
added 2025/01/08 8:41 a.m.19 views

CVE-2024-45033 Apache Airflow Fab Provider: Application does not invalidate session after password change via Airflow cli

Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider. This issue affects Apache Airflow Fab Provider: before 1.5.2. When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session expiration, thus logged...

8.1CVSS7.1AI score0.00936EPSS
Exploits0References5
Rows per page
Query Builder