PYSEC-2026-2366

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow-providers-fab/PYSEC-2026-2366.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2366
Aliases
Published
2026-07-13T15:19:12.107945Z
Modified
2026-07-13T16:31:27.898328434Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability
Details

Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP authentication until the provider can be updated.

References

Affected packages

PyPI / apache-airflow-providers-fab

Package

Name
apache-airflow-providers-fab
View open source insights on deps.dev
Purl
pkg:pypi/apache-airflow-providers-fab

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.6.4

Affected versions

1.*
1.0.0rc1
1.0.0
1.0.1.dev0
1.0.1
1.0.2.dev0
1.0.2.dev1
1.0.2.dev2
1.0.2b0
1.0.2rc1
1.0.2
1.0.3rc1
1.0.3
1.0.4rc1
1.0.4
1.1.0rc1
1.1.0
1.1.1rc1
1.1.1
1.2.0rc1
1.2.0
1.2.1rc1
1.2.1
1.2.2rc1
1.2.2
1.3.0rc1
1.3.0
1.4.0rc1
1.4.0
1.4.1rc1
1.4.1
1.5.0rc1
1.5.0rc2
1.5.0rc3
1.5.0
1.5.1rc1
1.5.1
1.5.2rc1
1.5.2
1.5.3rc1
1.5.3
1.5.4rc1
1.5.4
2.*
2.0.0b1
2.0.0rc1
2.0.0rc2
2.0.0rc3
2.0.0rc4
2.0.0
2.0.1rc1
2.0.1
2.0.2rc1
2.0.2rc2
2.0.2
2.1.0rc1
2.1.0
2.2.0rc1
2.2.0
2.2.1rc1
2.2.1rc2
2.2.1
2.3.0rc1
2.3.0
2.3.1rc1
2.3.1
2.4.0rc1
2.4.0
2.4.1rc1
2.4.1
2.4.2rc1
2.4.2
2.4.3rc1
2.4.3
2.4.4rc1
2.4.4
3.*
3.0.0rc1
3.0.0rc2
3.0.0
3.0.1rc1
3.0.1
3.0.2rc1
3.0.2
3.0.3rc1
3.0.3
3.1.0rc1
3.1.0
3.1.1rc1
3.1.1
3.1.2rc1
3.1.2
3.2.0rc1
3.2.0
3.3.0rc1
3.3.0
3.4.0rc1
3.4.0
3.5.0rc1
3.5.0
3.6.0rc1
3.6.0
3.6.1rc1
3.6.1
3.6.2rc1
3.6.2
3.6.3rc1
3.6.3
3.6.4rc1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow-providers-fab/PYSEC-2026-2366.yaml"