52 matches found
CVE-2026-48726
A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for FabAuthManager and KeycloakAuthManager did not actually reach the underlying revoketoken call, so the JWT remained accepted by the API server...
Insufficient Session Expiration
Overview Affected versions of this package are vulnerable to Insufficient Session Expiration in the auth manager logout handling where previously-issued JWT tokens are left valid after the user clicked logout in the UI: the logout flow for FabAuthManager and KeycloakAuthManager did not actually...
PYSEC-2026-187
A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for FabAuthManager and KeycloakAuthManager did not actually reach the underlying revoketoken call, so the JWT remained accepted by the API server...
PYSEC-2026-187
A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for FabAuthManager and KeycloakAuthManager did not actually reach the underlying revoketoken call, so the JWT remained accepted by the API server...
PYSEC-0000-CVE-2026-48726
A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for FabAuthManager and KeycloakAuthManager did not actually reach the underlying revoketoken call, so the JWT remained accepted by the API server...
CVE-2026-48726
A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for FabAuthManager and KeycloakAuthManager did not actually reach the underlying revoketoken call, so the JWT remained accepted by the API server...
CVE-2026-48726
A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for FabAuthManager and KeycloakAuthManager did not actually reach the underlying revoketoken call, so the JWT remained accepted by the API server...
CVE-2026-48726
CVE-2026-48726 describes a bug in Apache Airflow where the logout flow for FabAuthManager and KeycloakAuthManager does not reach revoke_token(), leaving previously issued JWTs valid until expiry. This creates a residual gap after CVE-2025-57735 where cookie-side invalidation was addressed but pro...
PT-2026-45379
Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.2.2 Description A bug in the authentication manager logout handling allows previously issued JSON Web Tokens JWT to remain valid after a user logs out via the user interface. In deployments configured with...
LDAP Injection
Overview apache-airflow-providers-fab is a Provider package apache-airflow-providers-fab for Apache Airflow Affected versions of this package are vulnerable to LDAP Injection through the ldapbindindirect and nested group search code in override.py. An attacker can manipulate the LDAP username or...
CVE-2026-46745
Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability CWE-90 that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP...
CVE-2026-46745 Apache Airflow FAB provider: LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token
Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability CWE-90 that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP...
CVE-2026-46745 Apache Airflow FAB provider: LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token
Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability CWE-90 that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP...
PT-2026-43033
Name of the Vulnerable Software and Affected Versions apache-airflow-providers-fab versions prior to 3.6.4 Description Apache Airflow FAB Auth Manager is subject to an LDAP filter injection, which occurs when user-supplied input is improperly sanitized before being used in an LDAP filter. This...
io.fabric8.fab.tests:fab-itests (=1.1.0.Beta3), io.quarkiverse.artemis:quarkus-test-artemis (>=3.12.0 <=3.12.1.CR1) +27 more potentially affected by CVE-2026-27446 via org.apache.artemis:artemis-server (>=2.50.0 <=2.51.0)
org.apache.artemis:artemis-server MAVEN version =2.50.0, =3.12.0, =2.50.0, =2.50.0, =2.50.0, =2.50.0, =2.50.0, =2.50.0, =2.50.0, =2.50.0, =2.50.0, =2.50.0, =2.50.0, =2.50.0, =2.50.0, =2.51.0 and more Source cves: CVE-2026-27446 Source advisory: OSV:GHSA-FW88-PF9M-P947...
EUVD-2025-136683
Malicious code in sahuar-satidaf-fab npm...
MAL-2025-178500 Malicious code in sahuar-satidaf-fab (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 86af7d383b6e44dba730a9bcee571a4efb12e05d0cafaaa8a5bb3844484840ad This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
CVE-2024-45033
Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider. This issue affects Apache Airflow Fab Provider: before 1.5.2. When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session expiration, thus logged...
CVE-2024-42447
Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB. This issue affects Apache Airflow Providers FAB: 1.2.1 when used with Apache Airflow 2.9.3 and FAB 1.2.0 for all Airflow versions. The FAB provider prevented the user from logging out. FAB provider 1.2.1 only affected...
The vulnerability of the Apache Airflow Fab Provider software, which is used for creating, monitoring, and orchestrating data processing scenarios in Apache Airflow, stems from incorrect session duration settings. This allows attackers to maintain a session in the system.
The vulnerability of the Apache Airflow Fab Provider software, which is used for creating, monitoring, and orchestrating data processing scenarios, is related to incorrect session duration settings. Exploiting this vulnerability allows a malicious actor to maintain a session on the system...