THREATOPS
THREAT OPSThreat News › CVE-2026-59245: Apache Airflow FAB provider: FAB auth manager: a DAG named "DAGs" hijacks the global all-DAGs permission (access_control privilege escalation via resource_name() collision)

CVE-2026-59245: Apache Airflow FAB provider: FAB auth manager: a DAG named "DAGs" hijacks the global all-DAGs permission (access_control privilege escalation via resource_name() collision)

medoss_secPublished 2026-07-13

<p>Posted by Vincent Beck on Jul 13</p>Severity: moderate <br /> <br /> Affected versions:<br /> <br /> - Apache Airflow FAB provider (apache-airflow-providers-fab) before 3.7.2<br /> <br /> Description:<br /> <br /> In the Apache Airflow FAB auth manager, a DAG whose `dag_id` is `DAGs` collided with the global all-DAGs permission <br /> resource name produced by `resource_name()`, so a user grant

Indicators of compromise

Original source: https://seclists.org/oss-sec/2026/q3/125