In the Apache Airflow FAB auth manager, a DAG whose dag_id is DAGs collided with the global all-DAGs permission resource name produced by resource_name(), so a user granted per-DAG access_control on that one DAG was silently granted the global all-DAGs permission (privilege escalation). The escalation triggers when a DAG named DAGs exists and a lower-privileged user is given per-DAG access to it, granting that user read/edit access to every DAG. Users are advised to upgrade to apache-airflow-providers-fab 3.7.2 or later, which disambiguates the resource-name collision.
{
"cna_assigner": "apache",
"cwe_ids": [
"CWE-269"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59245.json"
}{
"source": [
"AFFECTED_FIELD",
"CPE_RANGE"
],
"cpe": "cpe:2.3:a:apache:apache-airflow-providers-fab:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "3.7.2"
}
]
}