Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP authentication until the provider can be updated.
{
"github_reviewed_at": "2026-06-30T16:59:52Z",
"cwe_ids": [
"CWE-90"
],
"severity": "MODERATE",
"nvd_published_at": "2026-05-25T11:16:18Z",
"github_reviewed": true
}