CVE-2026-59245
Apache Software Foundation · Apache Airflow FAB provider
A privilege escalation vulnerability in the Apache Airflow FAB auth manager allows authenticated users to gain global DAG permissions due to a naming collision with the `DAGs` resource.
Executive summary
A high-severity privilege escalation flaw in the Apache Airflow FAB provider allows authenticated users to bypass access controls and gain unauthorized administrative rights over all DAGs.
Vulnerability
This is an improper privilege management issue (CWE-269). A naming collision between a specific DAG named DAGs and the global all-DAGs permission resource causes the authentication manager to incorrectly grant global access to users who were only intended to have restricted access to that single DAG.
Business impact
This vulnerability enables an authenticated user to escalate their privileges significantly beyond their intended scope. By gaining global read and edit access to every DAG in the system, an attacker could potentially modify workflows, exfiltrate sensitive data, or sabotage business processes. The CVSS score of 8.1 reflects the high potential for unauthorized access and impact on system integrity.
Remediation
Immediate Action: Update the Apache Airflow FAB provider to version 3.7.2 or later to resolve the permission collision.
Proactive Monitoring: Review audit logs for any users who have recently accessed or modified DAGs outside of their assigned scope.
Compensating Controls: Temporarily rename any existing DAGs named DAGs to avoid the collision until the patch can be applied, and strictly audit user role assignments in the FAB auth manager.
Exploitation status
Public Exploit Available: No (unknown)
Analyst recommendation
Immediate remediation is required to prevent unauthorized privilege escalation. Administrators should apply the update to the FAB provider promptly and verify that user permissions are correctly scoped to prevent further exposure of sensitive workflow data.