Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
2781 articles · 175026 vulns · 36/41 feeds (7d)
← Back to list
8.1
CVE-2026-59245EXPLOITEDPATCHED
apache · airflow

Apache Airflow FAB provider: FAB auth manager: a DAG named "DAGs" hijacks the global all-DAGs permission (access_control privilege escalation via resource_name() collision)

Description

In the Apache Airflow FAB auth manager, a DAG whose `dag_id` is `DAGs` collided with the global all-DAGs permission resource name produced by `resource_name()`, so a user granted per-DAG `access_control` on that one DAG was silently granted the global all-DAGs permission (privilege escalation). The escalation triggers when a DAG named `DAGs` exists and a lower-privileged user is given per-DAG access to it, granting that user read/edit access to every DAG. Users are advised to upgrade to `apache-airflow-providers-fab` 3.7.2 or later, which disambiguates the resource-name collision.

Affected Products

VendorProductVersions
apacheairflow0

References

  • https://github.com/apache/airflow/pull/69106(patch)
  • https://lists.apache.org/thread/70f37q3mwov1vm3zolrfxlzds278c78h(vendor-advisory)

Related News (2 articles)

Tier C
oss-security9h ago
CVE-2026-59245: Apache Airflow FAB provider: FAB auth manager: a DAG named "DAGs" hijacks the global all-DAGs permission (access_control privilege escalation via resource_name() collision)
→ No new info (linked only)
Tier C
VulDB10h ago
CVE-2026-59245 | Apache Airflow up to 3.7.1 FAB Auth Manager resource_name dag_id permission
→ No new info (linked only)
CVSS 3.18.1 HIGH
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
3.7.2
CWECWE-269
PublishedJul 13, 2026
Last enriched46m agov3
Trending Score56
Source articles2
Independent2
Info Completeness8/14
Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-49844EXP
Apache Log4j API: Improper serialization of non-finite floating-point values in MapMessage.asJson()
Trending: 60
HIGHCVE-2026-58065EXP
Apache Airflow Git provider: Git provider hook defaults to StrictHostKeyChecking=no, disabling SSH host-key verification
Trending: 56
CRITICALCVE-2026-40008EXP
Apache IoTDB: Arbitrary Class Instantiation via Pipe Transfer RPC
Trending: 44
CRITICALCVE-2026-40005EXP
Apache IoTDB: Path Traversal in Pipe File Transfer Receiver
Trending: 44
CRITICALCVE-2026-28564EXP
Apache IoTDB: REST Basic Authentication Accepts Stale Cached Credentials
Trending: 44

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 13, 2026
Discovered by ZDM
Jul 13, 2026
Updated: affectedVersions, severity, activelyExploited
Jul 13, 2026
Updated: severity
Jul 13, 2026
Actively Exploited
Jul 13, 2026
Patch Available
Jul 13, 2026

Version History

v3
Last enriched 46m ago
v3Tier C8h ago

Updated severity from HIGH to MEDIUM and set patchAvailable to null.

severity
via oss-security
v2Tier C10h ago

Updated affected versions to include 3.7.1, changed severity to HIGH, and noted that there is no exploit available.

affectedVersionsseverityactivelyExploited
via VulDB
v111h ago

Initial creation