CVE-2026-46745 Overview
CVE-2026-46745 is an LDAP filter injection vulnerability [CWE-90] in the Apache Airflow Flask AppBuilder (FAB) Auth Manager. The flaw allows unauthenticated network attackers to inject malicious LDAP filter syntax into authentication requests. Successful exploitation can lead to directory data exfiltration or authentication bypass against deployments using LDAP as the identity backend. Apache has released apache-airflow-providers-fab version 3.6.4 to remediate the issue.
Critical Impact
Unauthenticated attackers can manipulate LDAP queries to extract directory information or bypass authentication controls in Apache Airflow environments configured with the FAB Auth Manager.
Affected Products
- Apache apache-airflow-providers-fab (versions prior to 3.6.4)
- Apache Airflow deployments configured with FAB Auth Manager using LDAP authentication
- Any downstream distribution bundling vulnerable versions of the FAB provider
Discovery Timeline
- 2026-05-25 - CVE-2026-46745 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-46745
Vulnerability Analysis
The vulnerability resides in the Lightweight Directory Access Protocol (LDAP) authentication path of the FAB Auth Manager. User-supplied input is concatenated into LDAP search filters without proper escaping of special characters such as *, (, ), \, and the NUL byte. Attackers can manipulate filter logic to alter the semantics of the search query sent to the directory server.
This class of flaw [CWE-90] enables two distinct attack outcomes. First, attackers can craft wildcard-heavy filters that enumerate directory entries, exfiltrating usernames, group memberships, or attribute values. Second, attackers can construct filters that match arbitrary accounts, enabling authentication bypass when the application equates a successful directory match with valid credentials.
The issue is network-reachable and requires no prior authentication or user interaction, increasing its exposure on internet-facing Airflow web servers.
Root Cause
The root cause is missing or insufficient sanitization of authentication parameters before they are interpolated into LDAP filter strings. RFC 4515 requires that user-controlled values be escaped before inclusion in a filter. The pre-3.6.4 FAB provider failed to apply this escaping consistently on the login flow.
Attack Vector
An unauthenticated attacker submits a crafted username or login payload to the Airflow login endpoint. The FAB Auth Manager incorporates the payload into an LDAP search filter and forwards it to the directory server. By injecting filter metacharacters, the attacker alters the matching logic to either return additional directory records or match an existing account without supplying its real password.
The vulnerability manifests in the LDAP filter construction logic of the FAB Auth Manager login handler. See the GitHub Pull Request Update and the Apache Mailing List Discussion for the upstream fix and advisory details.
Detection Methods for CVE-2026-46745
Indicators of Compromise
- LDAP filter metacharacters such as *), (|, or (& appearing in the username field of Airflow login requests
- Unusually large LDAP search responses originating from the Airflow service account to the directory server
- Successful logins from accounts that have no matching audit trail of password changes or normal usage patterns
- HTTP POST requests to /login containing URL-encoded LDAP filter operators
Detection Strategies
- Inspect Airflow webserver access logs for login attempts containing LDAP wildcard or boolean operator characters in submitted credentials
- Correlate directory server query logs with Airflow authentication events to identify abnormally broad or recursive search filters
- Alert on authentication successes that originate from new IP addresses combined with non-standard username payloads
Monitoring Recommendations
- Enable verbose LDAP query auditing on the directory server bound to Airflow
- Forward Airflow auth and webserver logs to a centralized SIEM for filter-pattern matching
- Monitor the installed version of apache-airflow-providers-fab across Airflow deployments and alert on versions below 3.6.4
How to Mitigate CVE-2026-46745
Immediate Actions Required
- Upgrade apache-airflow-providers-fab to version 3.6.4 or later on every Airflow scheduler, webserver, and worker node
- If upgrade is not immediately feasible, disable LDAP authentication in the FAB Auth Manager configuration
- Restrict network access to the Airflow webserver login endpoint using IP allowlists or a reverse proxy with WAF rules
- Rotate credentials for the LDAP bind account used by Airflow and review recent authentication logs for anomalies
Patch Information
Upgrade to apache-airflow-providers-fab 3.6.4 or later. The upstream fix is tracked in the GitHub Pull Request Update and announced via the Apache Mailing List Discussion and the Openwall OSS-Security Update.
Workarounds
- Disable LDAP authentication and switch to a non-LDAP auth backend such as database or OAuth until the provider can be updated
- Place the Airflow webserver behind a WAF rule that rejects login payloads containing LDAP filter metacharacters
- Limit the LDAP bind account permissions to the minimum subtree and attributes required to validate logins
# Upgrade the FAB provider to a patched version
pip install --upgrade "apache-airflow-providers-fab>=3.6.4"
# Verify installed version
pip show apache-airflow-providers-fab | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
