Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
2761 articles · 175003 vulns · 36/41 feeds (7d)
← Back to list
—
CVE-2026-59245EXPLOITEDPATCHED
apache software foundation · apache airflow fab provider

Apache Airflow FAB provider: FAB auth manager: a DAG named "DAGs" hijacks the global all-DAGs permission (access_control privilege escalation via resource_name() collision)

Description

In the Apache Airflow FAB auth manager, a DAG whose `dag_id` is `DAGs` collided with the global all-DAGs permission resource name produced by `resource_name()`, so a user granted per-DAG `access_control` on that one DAG was silently granted the global all-DAGs permission (privilege escalation). The escalation triggers when a DAG named `DAGs` exists and a lower-privileged user is given per-DAG access to it, granting that user read/edit access to every DAG. Users are advised to upgrade to `apache-airflow-providers-fab` 3.7.2 or later, which disambiguates the resource-name collision.

Affected Products

VendorProductVersions
apache software foundationapache airflow fab provider0

References

  • https://github.com/apache/airflow/pull/69106(patch)
  • https://lists.apache.org/thread/70f37q3mwov1vm3zolrfxlzds278c78h(vendor-advisory)

Related News (2 articles)

Tier C
oss-security7h ago
CVE-2026-59245: Apache Airflow FAB provider: FAB auth manager: a DAG named "DAGs" hijacks the global all-DAGs permission (access_control privilege escalation via resource_name() collision)
→ No new info (linked only)
Tier C
VulDB9h ago
CVE-2026-59245 | Apache Airflow up to 3.7.1 FAB Auth Manager resource_name dag_id permission
→ No new info (linked only)
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
3.7.2
CWECWE-269
PublishedJul 13, 2026
Last enriched6h agov3
Trending Score51
Source articles2
Independent2
Info Completeness8/14
Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

NONECVE-2026-58065EXP
Apache Airflow Git provider: Git provider hook defaults to StrictHostKeyChecking=no, disabling SSH host-key verification
Trending: 51
NONECVE-2026-49365
Apache Camel: Camel-Netty-HTTP: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients
Trending: 18
NONECVE-2026-49099
Apache Camel Salesforce: Non-Camel-prefixed Exchange header constants bypass the HTTP header filter, allowing an HTTP client to influence internal behaviour
Trending: 18
NONECVE-2026-49098
Apache Camel: Camel-Kafka: The kafka.OVERRIDE_TOPIC (and other kafka.*) Exchange header constants used non-Camel-prefixed names that bypass the upstream HTTP header filter, allowing an HTTP client to redirect Kafka messages to an arbitrary topic
Trending: 18
MEDIUMCVE-2026-49296
Apache Airflow: Per-DAG read bypass discloses co-located DAGs' source via GET /api/v2/dagSources/{dag_id}
Trending: 18

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 13, 2026
Discovered by ZDM
Jul 13, 2026
Updated: affectedVersions, severity, activelyExploited
Jul 13, 2026
Updated: severity
Jul 13, 2026
Actively Exploited
Jul 13, 2026
Patch Available
Jul 13, 2026

Version History

v3
Last enriched 6h ago
v3Tier C6h ago

Updated severity from HIGH to MEDIUM and set patchAvailable to null.

severity
via oss-security
v2Tier C9h ago

Updated affected versions to include 3.7.1, changed severity to HIGH, and noted that there is no exploit available.

affectedVersionsseverityactivelyExploited
via VulDB
v19h ago

Initial creation