Back to overview

CVE-2026-59245

Description
In the Apache Airflow FAB auth manager, a DAG whose `dag_id` is `DAGs` collided with the global all-DAGs permission resource name produced by `resource_name()`, so a user granted per-DAG `access_control` on that one DAG was silently granted the global all-DAGs permission (privilege escalation). The escalation triggers when a DAG named `DAGs` exists and a lower-privileged user is given per-DAG access to it, granting that user read/edit access to every DAG. Users are advised to upgrade to `apache-airflow-providers-fab` 3.7.2 or later, which disambiguates the resource-name collision.

Metadata

CVE ID
CVE-2026-59245
State
PUBLISHED
Assigner
apache
Reserved
2026-07-04 01:50 UTC
Published
2026-07-13 15:05 UTC
Last updated
2026-07-13 19:30 UTC
Primary CWE
CWE-269
CWE-269: Improper Privilege Management
Vendor / Product
Apache Software Foundation / Apache Airflow FAB provider
Sources
cve.org  ·  NVD

Severity & Metrics

No CVSS data available.

Affected products (1)
VendorProductPlatformVersions
Apache Software Foundation Apache Airflow FAB provider 0 < 3.7.2
Weakness (CWE)
CWESourceDescription
CWE-269 cna CWE-269: Improper Privilege Management
Back to overview