CVE-2026-46745— Apache Airflow FAB provider: LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token
Possible ATT&CK Techniques 2AI
T1552.005 · Cloud Instance Metadata API T1110.004 · Credential StuffingGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-46745
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apache Airflow FAB provider: LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token
Source: NVD (National Vulnerability Database)
Vulnerability Description
Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP authentication until the provider can be updated.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
LDAP查询中使用的特殊元素转义处理不恰当(LDAP注入)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache Airflow FAB provider | 0 ~ 3.6.4 | - |
II. Public POCs for CVE-2026-46745
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-46745
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-46745 (1)
Mailing List Discussions for CVE-2026-46745 (1)
Same Patch Batch · Apache Software Foundation · 2026-05-25 · 5 CVEs total
| CVE-2026-42797 | Apache Syncope: JexlContextBuilder Information Disclosure | |
| CVE-2026-42782 | Apache Syncope: Post-auth RCE via Groovy static | |
| CVE-2026-45361 | Apache Airflow Google provider: SSH host key verification disabled in ComputeEngineSSHHook | |
| CVE-2026-45249 | Apache ECharts: XSS in Lines series tooltip rendering |
IV. Related Vulnerabilities
Same vendor: Apache Software Foundation
- CVE-2026-42797
Apache Syncope: JexlContextBuilder Information Disclosure - CVE-2026-42782
Apache Syncope: Post-auth RCE via Groovy static - CVE-2026-45361
Apache Airflow Google provider: SSH host key verification di - CVE-2026-45249
Apache ECharts: XSS in Lines series tooltip rendering - CVE-2026-44417
Apache CXF: Incomplete fix for CVE-2025-48913 (Untrusted JMS
Same weakness: CWE-90
- CVE-2026-44930
Apache CXF: LDAP Injection vulnerability in XKMS LDAP Reposi - CVE-2026-44063
LDAP filter injection - CVE-2026-41919
Apache OFBiz: Authentication Bypass due to Improper Neutrali - CVE-2026-44671
ZITADEL: LDAP Filter Injection in Login Flow - CVE-2026-44304
Lemur: LDAP Filter Injection enables post-authentication pri
V. Comments for CVE-2026-46745
No comments yet